2026 Review of the Privacy Act: Policy Approaches

Description

Canadians are often asked to provide the same personal data, like their name, address, or date of birth, to multiple government programs. Even when accurate and verified data is already held by a trusted government source, programs often collect personal data directly from individuals. This creates barriers to seamless service delivery and can be frustrating for Canadians who are repeatedly asked to provide the same information.

The Privacy Act sets rules that make asking people directly for their information the default even when another program, sometimes even in the same institution, already has accurate data. It also limits how that information can be reused, usually only for the same or a consistent purpose as the original reason it was collected. In most cases, reusing personal data or sharing personal data with another program for an alternative purpose requires the person’s consent or must meet one of the few legal exceptions.

These rules were designed to protect privacy, but they make it harder to deliver modern, connected services that rely on secure data sharing. The goal is to make it easier for programs to share data responsibly, so Canadians only have to provide information once.

The proposal considers amending the Privacy Act to introduce a new, purpose-based approach that allows government institutions to reuse and securely share personal data with each other and with their provincial, territorial, or municipal partners without asking for consent, if it clearly serves a public interest or directly benefits individuals, such as improving service delivery or program operations, and only when:

• the personal data reused and shared is limited to what is necessary, clearly required, and helps achieve the program or activity’s goal
• the reuse and sharing are done in the least privacy-invasive way possible
• strong safeguards are in place to protect privacy

Current data sharing practices, such as for investigations, assistance from a member of Parliament, audit and research, would all need to meet the requirements outlined in these criteria.

Under this proposal, repeatedly collecting the same personal data directly from individuals would no longer be the default approach. Programs wouldn’t need to seek consent to reuse or share personal data, when the sharing meets these new rules. However, people would still be informed when their data is reused or shared. This would be done through stronger transparency requirements, including clear, easy-to-understand privacy notices that are published in a central registry before the data is shared or reused. The concept of a centralized registry is further explored in proposal 4.

Benefit

This change would reduce duplication in data collection, support faster service delivery and help make interactions with government simpler and more efficient. It would enable responsible, privacy-protective data reuse and sharing that serves the public interest and benefits individuals. By ensuring that sharing is limited to what is necessary, clearly beneficial, and supported by strong safeguards and transparency, the proposal would help modernize service delivery while maintaining Canadians’ trust in how their personal data is managed.

Description

As government programs increasingly rely on personal data to deliver services, it has become clear that the current siloed model, where each program collects and manages its own data, creates inefficiencies. It also creates inconsistencies when data is updated in one program, but not in others, forcing individuals to advise multiple government programs of changes in their information. This approach doesn’t support the kind of integrated, efficient services Canadians expect from a modern government.

This proposal considers a new model: formally designating certain programs or institutions as the official sources for specific types of personal data. These “designated official sources of government digital data” would act as trusted references for commonly used data.

Programs would be required to obtain personal data from designated official sources rather than collect it again, unless there is a clearly defined reason to do otherwise. Exceptions would be clearly defined in regulation.

For example, programs may still need to collect data again for national security, law enforcement, or to meet international treaty obligations. Sensitive data may also be excluded from designated official sources, depending on the context and risk level. The treatment of sensitive data is further explored in proposal 7.

The designation process would be guided by clear criteria and overseen by TBS, in collaboration with the responsible institution. Additionally, TBS could maintain a registry of the official sources of government digital data.

Benefit

Requiring the reuse of personal data from designated sources may take more effort to set up initially, including establishing secure systems and formal data sharing frameworks. However, the long-term benefits are substantial.

It would reduce the need for repeated data collection, lower storage costs, and simplify updates to personal data for individuals by allowing them to maintain their data in fewer trusted locations. For institutions, it would support better coordination and reduce administrative overhead. Designating official sources of government digital data would improve the consistency and reliability of data. It would enable faster, more integrated service delivery and help programs respond more effectively to individuals’ needs.

This proposal lays the foundation for a more streamlined, accurate, and privacy-conscious data ecosystem that could even be extended across different levels of government, as appropriate.

Description

PIAs are careful reviews done by government officials to understand how a program or activity uses people’s personal data, what privacy risks might exist, and how those risks can be reduced. PIAs help make sure privacy is considered early, before a new program starts or an existing one is significantly changed.

Right now, government policy requires institutions to complete a PIA when personal data is used to make decisions about individuals, and to submit the completed PIA to both the Office of the Privacy Commissioner and TBS.

This proposal would change the Privacy Act to make PIAs a legal requirement instead of a policy requirement. Institutions would be legally required to complete a PIA before starting a new program or making major changes to an existing one when personal data is used to make decisions about people. Completed PIAs would have to be shared with the Commissioner’s office, so they can review the assessment for compliance with the Act.

Additionally, TBS would continue to receive PIAs under policy to help identify trends and systemic issues, and develop guidance, training, and privacy policies. Since PIAs are already required under policy, it would not create an additional approval process or delay program implementation.

The proposal also considers requiring institutions to publish plain language summaries of completed PIAs, excluding any information that could cause injury to law enforcement, investigations, or national security.

The law would set the requirement to complete a PIA, but the details, such as what needs to be included, would still be set by policy. This allows the rules to be updated more easily as technologies, risks, and best practices change over time.

Benefit

Embedding PIAs into the Privacy Act would reinforce their role as a proactive safeguard that helps institutions identify and address privacy risks early in program and activity design. It would strengthen accountability by making PIAs a legal obligation, improve oversight through mandatory submission to the Commissioner’s office, and enhance transparency by requiring plain language summaries to be published. This change would support consistent practices across government, align with international and provincial standards, and help build public trust in how institutions manage personal data.

Description

The current transparency mechanism for describing how federal institutions manage personal data was designed for a time when government programs mostly worked independently and stored information on paper. At that time, sharing personal data between programs was uncommon and difficult.

Today, technology makes it easier to share personal data securely, and there is a growing need to reuse data across programs to improve services. As these practices evolve, so too should the tools used to describe personal data holdings.

Current transparency tools include personal information banks (PIBs) and classes of personal information. This information is published across institutions’ websites, and is sometimes presented in technical terms, creating an opportunity to make it easier for individuals to understand how their personal data moves through government programs and how it is protected.

This proposal would replace the PIB regime with a centralized registry of personal data holdings as the primary transparency mechanism. The registry would not store personal data. It would provide descriptions of personal data holdings and other privacy-related publications. In the registry, institutions would describe personal data holdings and how that information is handled. These descriptions would replace PIBs and classes of personal information and enhance transparency by providing people a clearer and more up-to-date view of how federal institutions collect and use personal data across different programs.

The type of information that institutions would publish in the registry would also include privacy notices explaining why data is collected and how it will be used, general descriptions of how personal data is shared between programs, and summaries of PIAs.

Institutions would also be required to publish key privacy-related information in advance, where possible, so that people can understand how their personal data will be handled before it is collected, used or shared. The goal is to make this information available early enough to support transparency and meaningful public understanding.

Some exceptions to publication requirements may be needed. For example, publishing certain information could interfere with law enforcement or national security. In these cases, institutions must be able to explain and demonstrate to oversight bodies why the information was not published.

Government should be transparent by default and only withhold information when it is truly necessary. If a complaint is made or an investigation takes place, institutions must be able to justify the decision. Exceptions should be limited, specific, and clearly set out in the Act.

Benefit

A centralized registry would improve how personal data practices across government are presented. It would replace a fragmented and outdated system with a single, consistent source of information. It would also make it easier for institutions to maintain up-to-date records and for the public to understand how personal data is managed across programs, as flow of data between programs would be more clearly articulated.

The new publication requirements would strengthen transparency by, where possible, making privacy-related information available before personal data is collected, used or shared. This would help people understand how their data will be handled, support oversight, and improve accountability. Together, these changes would help build public trust and support more consistent and responsible data practices across institutions.

Description

The Government of Canada is increasingly adopting rapidly evolving technologies such as AI and ADS to improve service delivery. ADS are systems that assist or replace human judgment in decision-making and are commonly implemented using AI technologies. While these technologies can improve efficiency and consistency, they raise concerns about transparency and trust.

Under the Privacy Act, individuals have the right to access and request correction of their personal data. This means they can ask to see the personal data the government holds about them and request changes if it is wrong or incomplete, provided that the personal data has or will be used to make decisions about them.

However, these transparency and redress mechanisms may not fully address the unique risks posed by AI and ADS. Individuals may find it hard to understand how AI or ADS work and what personal data these systems use to make or support decisions. There is no federal legislation in Canada that fills this gap.

The Treasury Board’s Directive on Automated Decision-Making sets mandatory rules for transparency, accountability and data governance, but it is not law and it does not apply to all institutions subject to the Privacy Act. It applies to about 100 departments listed in the Financial Administration Act. Elevating the transparency requirements in the directive into law would make these rules apply to all other federal institutions.

This proposal would amend the Privacy Act to require institutions, upon request, to explain how an ADS supported a decision and what personal data was used. The individual would be first notified that an ADS was employed, as outlined in proposal 6 below. Then, this requirement would help individuals check if the data used by the ADS is accurate and ask for corrections if needed. People could also ask for a human review of a decision if they believe the ADS made a mistake or used incorrect or incomplete personal data.

This requirement would only apply to ADS that use personal data to make or support decisions that directly affect individuals. For instance, it could apply when an institution uses personal data to enable an ADS to make a prediction, recommendation, or decision that directly affects someone’s access to services or benefits, or on their legal rights.

Benefit

Introducing these transparency requirements and allowing individuals to request human review would make the use of AI and ADS more transparent and accountable. These measures would help ensure that decisions are made based on accurate data, reinforce transparency, and build public trust in how technology is used in government programs. They would also strengthen the existing right to correct personal data by making it easier for individuals to identify and fix errors in the data used by these systems.

While the directive already outlines similar principles, embedding these requirements into law would increase their applicability to a wider set of institutions and ensure greater oversight, enforceability, and redress. By adding these requirements to the Privacy Act, the government would be taking an important step toward responsible and ethical use of AI in the public sector.

Description

Privacy notices help people understand how their personal data will be used, shared and protected. They explain why the data is being collected, what it will be used for, and whom it might be shared with. Except in specific situations, these notices are provided when the government collects personal data directly from someone, but notices can be hard to find later and are sometimes written in complex or technical language that is hard to understand.

This proposal would strengthen the Act’s notice requirements to ensure that privacy notices are written in plain language, provided as soon as reasonably possible when personal data is collected, and published in the centralized personal data registry. Notices should be easy to find and view at any time.

Additional notice requirements would apply when programs use personal data to make decisions that directly affect someone and where those decisions are made or supported by ADS. Institutions will need to notify the person before or as soon as reasonably possible after the system starts using their personal data. The notice would provide a general explanation so the person can understand how the ADS handled their personal data and how the decision was made. Knowing where and how ADS are used would help people ask questions and understand the process.

Some exceptions to notice requirements may be needed. As was noted in proposal 4, such exceptions should be justified and permitted only in limited and specific circumstances defined in the Act.

Benefit

Stronger notice requirements would help people better understand why and how their personal data is used. Giving timely notices and ensuring that they are clear and easy to access would improve transparency and enhance public trust. This is especially important when automated systems are used to make decisions that affect individuals. Publishing these notices in a centralized registry would also make it easier for people to find details about how their personal data is handled and for the Commissioner’s office to monitor compliance.

Description

Federal institutions collect and manage many types of personal data ranging from basic contact details to highly sensitive biometric and ethnicity data. While all personal data must be handled responsibly, some types carry greater risks if misused or breached.

The Privacy Act treats most personal data the same except for publicly available information and a few categories excluded from its definition of personal information. It also doesn’t define key terms like publicly available, anonymized and de-identified data, even though the understanding of these dimensions is increasingly relevant to privacy in a digital environment.

This proposal considers amending the Act to formally recognize that personal data has different management requirements, especially regarding two separate dimensions: its sensitivity and its identifiability. Identifiability is already recognized in the Act, but sensitivity is not. Adding sensitivity would create a spectrum that considers both dimensions.

Sensitivity refers to how harmful it could be if the data were exposed or misused. Meanwhile, identifiability refers to how easily the data can be linked to a specific person, ranging from fully anonymized to directly identifiable. By acknowledging this spectrum, institutions can better assess risk and apply safeguards that match the level of sensitivity and the degree of identifiability of the personal data.

Sensitive data, such as ethnic origin, political opinions, religious beliefs, sexual orientation, biometric and genetic data, or certain types of children’s personal data, would require the strongest safeguards. Given the inherent nature of this data, if it is breached, it would automatically be treated as a material privacy breach. This means that federal institutions would need to contain the breach, take measures to reduce the harm to affected individuals, notify these individuals and report the breach to the Commissioner’s office, as outlined in proposal 8.

De-identified data, which is personal data that has been changed so it no longer directly identifies a person, may need only moderate safeguards to prevent breaches. Data that has been altered, such as by removing names or ID numbers, could be shared with trusted partners for things like research or service improvements, but it’s not risk-free, especially when the original data is sensitive. Additionally, because individuals cannot be readily identified in it, de-identified data is not accessible through a personal data request.

Publicly available personal data, which is personal data that is lawfully available to the public for free, on request, by subscription, or by purchase (including information published in print or online, in public records, or shared by the individual in a public forum), would need fewer safeguards than other types of personal data listed above. Because this kind of data is already accessible to others, there are generally lower expectations of privacy. However, it does not include personal data where a person would reasonably expect privacy.

Lastly, anonymized data, which is data that has been irreversibly and permanently altered such that there is no reasonably foreseeable risk of re-identification, would be clearly recognized in the Act as no longer personal data and therefore not subject to its provisions. This would reinforce the current interpretation and provide greater clarity to institutions. Anonymization would also be recognized as a valid method of disposal of personal data.

Proposed definitions for sensitive data, de-identified data, publicly available personal data and anonymized data are provided in proposal 14.

Benefit

Recognizing the sensitivity and the identifiability of different types of data would help institutions apply the right safeguards based on risk. It would provide clearer guidance for managing personal data responsibly, support safe reuse, and help institutions recognize and report privacy breaches more confidently. This change would modernize the Privacy Act and ensure that protections are focused where they matter most.

Description

Government policy defines a privacy breach as the improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal data. Put simply, this means privacy breaches happen when personal data is handled in ways that go against the rules for how it should be protected.

This includes situations where personal data is collected without a valid reason, used for the wrong purpose, accessed by someone who shouldn’t see it, shared inappropriately, kept for too long or not properly disposed of. It also includes cases where personal data is lost or stolen. These kinds of situations can cause serious harm to the people affected, such as identity theft, discrimination or emotional distress.

The Directive on Privacy Practices includes mandatory procedures for institutions to follow in the event of a privacy breach. Institutions are required to act quickly to contain the breach, assess the situation, take measures to reduce potential harm and prevent incidents from recurring, and keep a record of all privacy breaches. Institutions are also required to notify affected individuals and report breaches to the Commissioner when they could cause a real risk of significant harm.

Since there are currently no legal requirements for the management of privacy breaches in the Privacy Act, this proposal considers amending the Act to elevate these policy requirements into law. As cyber security incidents involving personal data are becoming more frequent around the world, elevating these rules into to law could provide greater protection.

Exceptions to notification may apply in rare cases, such as when informing individuals could cause more harm or interfere with an investigation. These exceptions would be clearly defined and properly documented.

Benefit

Making breach management, notification, reporting and record-keeping a legal requirement would enhance government accountability. It would also ensure that individuals are given timely information when their data is at risk and improve transparency. Keeping records of all breaches would help identify patterns, monitor risks, and support oversight. Together, these measures could strengthen public trust in how personal data is protected and managed by federal institutions.

Description

When federal institutions handle personal data, people expect it to be protected. The government takes this responsibility seriously and current policy includes requirements to safeguard personal data. However, the Privacy Act does not include an explicit legal obligation to do so, nor does it expressly require institutions to use the necessary physical, technical, and administrative security measures to protect personal data.

In today’s digital environment, personal data is often stored and shared electronically, making it easier to access and reuse than traditional paper records. Digital information can move quickly across systems and is sometimes targeted in cyber attacks, which creates additional challenges for managing and protecting it effectively. These realities highlight the need to reinforce existing safeguards by making them enforceable under law.

Canadians have also raised concerns about their personal data being stored in other countries, where it may be subject to foreign laws that do not necessarily offer the same protections as Canadian ones. This proposal would make it a legal requirement for institutions to use physical, technical, and administrative security measures to safeguard the personal data it holds, including whenever personal data is stored or processed outside Canada, or in any other situation that introduces risk. These measures would need to be appropriate for the level of sensitivity of the data and risks involved.

Benefit

Embedding a legal requirement to safeguard personal data would strengthen accountability. It would ensure that institutions take the necessary steps to help prevent privacy breaches and reinforce public trust in how personal data is managed. By requiring safeguards that reflect the sensitivity of the data, institutions would be better equipped to manage risks and protect Canadians’ privacy in a rapidly evolving digital environment.

Description

As institutions have shifted from paper-based systems to digital platforms, the ability to collect and store large amounts of personal data has grown significantly. This creates new opportunities for efficiency, but also increases the risk of collecting more data than is necessary, which can raise privacy concerns.

Section 4 of the Privacy Act currently provides that institutions can collect personal data only if it relates directly to an operating program or activity of the institution. This means that, as long as a program has legal authority, it can collect any personal data that is directly connected to that program. While this provides an important limit, it does not prevent institutions from collecting more data than is necessary. This creates risks for privacy and increases the chances that personal data could be over collected.

The Directive on Privacy Practices requires institutions to limit the collection of personal data to what is demonstrably necessary for their programs or activities. This is an important safeguard, but it is not enough on its own. Because this requirement is only in policy, it does not have the force of law.

To provide stronger protection, this proposal considers amending the Privacy Act to include a clear legal necessity test. This means, before institutions collect personal data, they would need to ensure that the collection meets the following criteria:

• Legal authority: the institutions must have legal authority for the program or activity concerned, consistent with the current requirement that personal data relate directly to an operating program or activity.
• Necessity: the collection of personal data is limited to data that is reasonably required to achieve a clearly defined purpose that is directly related to an operating program or activity.
• Effectiveness: the data collected is likely to achieve that purpose.
• Minimal intrusiveness: there is no less privacy-intrusive way to reasonably achieve that purpose.

The intent of introducing a legal necessity test is not to impede the effective administration of government programs or make data collection unduly burdensome. Rather, it is to ensure that personal data is collected for clearly defined and legitimate purposes, avoiding unnecessary over collection, and providing clarity to federal institutions on what types of data are appropriate to collect.

Benefit

The proposed amendment would strengthen privacy protections by helping to prevent the over-collection of personal data while allowing programs to operate effectively. They would also help reduce privacy risks and build public trust in government operations and services.

Description

The Act assumes that all personal data is collected intentionally for either administrative or non-administrative purposes. In practice, there are situations where institutions may incidentally receive personal data they did not request (unsolicited) or collect additional data beyond what is necessary during legitimate activities. This can occur, for example, when using data scraping tools, conducting scientific or research surveys, or conducting interviews.

While these activities are undertaken for valid purposes, they can sometimes result in unintentional collections of personal data, or an inadvertent collection. When such data is retained unnecessarily, this can increase the privacy risks, as well as the potential impact of privacy breaches.

Keeping personal data longer than necessary, whether because it was over-collected or because it has passed its retention period, means it can still be exposed to a privacy breach. If the personal data had been securely disposed of, that risk would no longer exist. In today’s digital world, where storage capacity is greater than it has ever been, it is easy to keep data longer than needed, but doing so increases the chance it could be compromised.

This proposal considers amending the Act or the Privacy Regulations to require institutions to dispose of personal data that is not necessary, such as when personal data has been inadvertently collected, or that is no longer needed to fulfill the purpose which it was originally obtained. There would be some limited exceptions to this requirement, such as when the data has archival or historical purposes, or is required to comply with other legal requirements.

Benefit

This change would impose clear limits on retaining personal data that was collected unnecessarily. The proposal would help reduce the impact of privacy breaches related to the over-collection of personal data and help reduce the number of breaches related to extended retention of personal data. It would also strengthen privacy protections under the Act.

Description

The Privacy Act focuses on protecting the privacy of individuals and their data held by federal institutions, as well as granting individuals access to their data. This proposal considers updating the Act to recognize privacy as a fundamental right, underscore the importance of enabling service, and advance reconciliation with Indigenous Peoples.

Updating the purpose clause or the preamble to reflect these values and commitments would provide a stronger foundation for interpreting and applying the law. While neither the purpose clause nor the preamble create enforceable rights, they provide important interpretive guidance for applying the Act and shaping institutional practices.

The update would help ensure that privacy is treated not just as a procedural concern, but as a core democratic value that guides how personal data is managed across government. It would reflect the role of personal data as a strategic asset used to improve outcomes for Canadians. This change would also respond to feedback from Indigenous communities during earlier consultations, who emphasized the importance of embedding reconciliation into the foundation of federal legislation, such as the Privacy Act.

Benefit

Recognizing privacy as a fundamental right in the Act would provide an interpretive framework to help guide federal institutions in the responsible and consistent handling of personal data. It would also help align Canada’s public sector privacy law with other privacy laws internationally.

Updating the purpose clause or preamble would give clearer guidance on the values behind the Privacy Act. While these sections do not create enforceable rights, they help explain the objectives of the law and influence how it is applied.

Recognizing privacy as a fundamental right would encourage federal institutions to handle personal data responsibly and consistently. Adding service delivery as an objective would reflect modern expectations for digital government and support the responsible use of data to improve service and program delivery while protecting privacy. Including reconciliation in the preamble would show the Act’s alignment with Canada’s commitment to work respectfully with Indigenous Peoples and could help guide culturally sensitive privacy practices.

Description

The Privacy Act sets the basic rules for how federal government institutions collect, use, and protect personal data. After 43 years of technological advances and social change, expectations from people in Canada on how federal institutions handle their personal information have changed. To modernize the Act, the government proposes incorporating principles into the rules that govern personal data management. These principles would help federal institutions make decisions about personal data, no matter what technology they’re using.

This proposal considers introducing principles similar to those in Canada’s private sector privacy law (Personal Information Protection and Electronic Documents Act), international standards like Europe’s General Data Protection Regulation, and long-standing frameworks such as the Organisation for Economic Co-operation and Development Guidelines.

These principles would include accountability, identifying purpose, limiting retention, accuracy, safeguards, openness, and challenging compliance. Other principles, like privacy-by-design, necessity, proportionality, effectiveness, and minimal intrusiveness, are supported by privacy experts and past stakeholder consultations and are also being considered.

To ensure that these principles have practical impact, they could be outlined at the outset of the Act and integrated into its provisions, so they translate into clear rules, rights, and obligations. For example, the collection threshold would be strengthened to require that all collections are necessary to the needs of the program or activity, as outlined in proposal 10.

Benefit

Adding clear privacy principles in the Act would make it easier for institutions to interpret and apply the rules that govern the handling of personal data. It would help government institutions follow these rules more consistently.

These principles would also help Canada’s public sector stay in step with privacy laws used in other parts of the country and around the world. By embedding principles into obligations, the Act would guide government institutions in making decisions that are thoughtful and reasonable. Most importantly, they’d help build trust, so Canadians, including Indigenous people, can feel confident that their personal data is being treated with care and respect.

Description

To support consistent interpretation and modern privacy practices, this proposal considers adding definitions for several key terms to the Privacy Act. These include:

• privacy breach: The improper or unauthorized access to, creation, collection, use, disclosure, retention or disposal of personal data.^{Footnote 1}
• material breach: A privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.^{Footnote 1}
• anonymize: to irreversibly and permanently modify personal data, such that there is no reasonably foreseeable risk of re-identification.
• de-identify: to modify personal data so that an individual cannot be directly identified from it, though a risk of the individual being identified remains.^{Footnote 2}
• publicly available personal data: personal data that is currently available to or accessible by the public at large for free, on request, by subscription or by purchase. It includes personal data published electronically or in print; contained in public records; specified as publicly available by another Act of Parliament; published in a public forum by the individual to whom the personal data relates; and, compiled from various public sources. It does not include personal data that has been made public by accident or unlawfully.
• sensitive data: personal data for which an individual has a heightened expectation of privacy. The following categories of personal data are inherently sensitive:
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a person’s sex life or sexual orientation
• creation of personal data: the assignation by a government institution of any personal data element to an identifiable individual regardless of whether the data is derived or inferred from existing personal data under the control of the government institution. The creation of personal data is considered a collection.
• inadvertent collection: when personal data is gathered or collected without intention and for no necessary purpose (neither administrative nor non-administrative) in the course of conducting a program or activity.
• automated decision system: any technology that assists or replaces the judgment of human decision makers through the use of a rules-based system, regression analysis, predictive analytics, machine learning, deep learning, a neural network or other technique.^{Footnote 3}

These definitions could reflect concepts already used in federal policy, private sector legislation, and international standards, and would help clarify how personal data is protected and managed across institutions.

This proposal also considers replacing the current definition of personal information with a new definition for personal data. The current definition limits personal information to data that is recorded in any form. The new definition would remove that requirement.

For example, some online tools will do a quick face scan to confirm that a person is real and not a bot. The system analyzes the image in real time to make a decision, but it does not save or record the image anywhere. Even though the data is not stored, it still influences outcomes.

Implementing this change would also require reviewing and adjusting other provisions in the Act that should apply only to recorded personal data. For example, the right of access should still apply only to recorded personal data, whereas notice requirements should apply to both.

Benefit

Updating the Privacy Act with new definitions would support the proposals and improve consistency across government, while helping the Act align better with other laws and standards.

Description

Canadians currently rely on two separate laws to request information from the federal government: the Access to Information Act (ATIA) for general records and the Privacy Act for their personal information. This dual system for access requests can be confusing and inefficient. Individuals seeking access to their own information often do not know which law applies, and may end up navigating two separate processes, which can lead to delays, incomplete responses, and multiple requests.

This proposal considers removing the personal data request process from the Privacy Act and incorporating it into the ATIA, creating a more harmonized regime for access requests. While the processes would be aligned as much as possible, some differences would remain to reflect the unique nature of personal data. For example, exemptions that apply specifically to personal data, such as medical records and security clearances, would be retained.

Institutions would follow one consistent procedure for receiving, processing, and responding to requests, to the extent feasible, and related processes, such as consultations with other institutions and the application of exemptions and exclusions.

A harmonized regime would allow legislative provisions that currently apply to only one type of request to apply to both. For example, institutions could rely on the authority in the ATIA to decline to act on requests that are clearly abusive, such as those made in bad faith or intended to disrupt the process, regardless of whether the request is for personal data or general records.

The proposal also considers aligning complaint intake, triage, and investigation procedures under a unified oversight framework, simplifying how individuals raise concerns and how institutions respond.

Benefit

Integrating access requests into a single legal framework would make it easier for individuals to understand and navigate the system. It would reduce duplication, such as when people submit the same request under both Acts, and streamline internal processes for institutions. A harmonized regime would support more consistent service delivery, clearer communication with requesters and complainants, and more efficient oversight. Ultimately, this change would make it easier for Canadians to access their personal data and thus improve transparency.

Description

Right now, the Privacy Act uses fixed lists and a variety of terms to refer to Indigenous Peoples in three sections of the Act: 8(2)(f), 8(2)(k) and 19(1). This fixed list approach is limited, and updating lists requires changing the Act every time a new Indigenous government is recognized. Given the advancements in recognition of Indigenous governments, TBS is considering broadening the terms used.

For sharing data to help enforce laws or carry out investigations under paragraph 8(2)(f), sharing would be expanded to Indigenous entities that have signed a self-government agreement. This is because a self-government agreement sets out law-making powers.

Subsection 19(1), which protects information shared in confidence from another jurisdiction, would be expanded to Indigenous entities that have signed a Modern Treaty or a self-government agreement. Modern Treaty holders without self-government agreements are land claims agreement organizations.

Finally, sharing for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada, as set out in paragraph 8(2)(k), would be revised to sharing with an Indigenous government or Indigenous organization. Indigenous organization^{Footnote 4} means “an Indigenous governing body or any other entity that represents the interests of an Indigenous group and its members.”

Benefit

The proposed terms would broaden the disclosure provisions and protections to more Indigenous governments and organizations so that the scoping of each provision is linked to its purpose. Of note, it has been confirmed that the terms would include all groups currently listed in Privacy Act and would capture new groups over time as they are added to the respective categories.

The Government of Canada recognizes that furthering reconciliation is an ongoing process. Therefore, at future review (see proposal 23) it may be appropriate to look at these provisions again.

Description

One challenge when sharing personal data with Indigenous governments is identifying who their citizens are. Federal programs rarely collect information that allows individuals to be linked to their Indigenous government in a consistent way. This can make it difficult to share relevant information with Indigenous governments to support their information and service delivery needs.

A potential approach to addressing this challenge would be the creation of a specific category of personal data known as Indigenous personal data that would be subject to distinct governance considerations. During collection of new data, participants in key programs could opt to tie this designation to their data and identify the Indigenous government to which they are a citizen.

Which programs this option would apply to could be defined in engagement with the Indigenous governments and aligned with their data requirements, as outlined in proposal 18 below. Save for the specific collection, and its sharing and safeguarding rules, the management of Indigenous personal data would be otherwise governed in accordance with the rest of the Privacy Act.

Personal data of Indigenous people that is not categorized as Indigenous personal data would be managed and shared in accordance with the rest of the Privacy Act. This would include data that the individual chose not to consent to the designation, older data from before this designation and data that belongs to a dataset not related to the key programs identified in proposal 18.

Benefit

The Indigenous personal data designation would facilitate access to that data by the relevant Indigenous government by tailoring the sharing and safeguards to the uses and circumstances of that government. However, each Indigenous person would, nonetheless, have the option to determine how they wanted their own data to be treated.

Description

Indigenous partners have shared that they need better access to personal data about their citizens to support service delivery and self-governance. Many emphasized the importance of Indigenous data sovereignty, meaning First Nations, Inuit and Métis should have control over their own data.

One possible approach to supporting this objective would be to enable Indigenous governments to enter into agreements with the federal government to routinely receive copies of personal data about their citizens from key programs. These agreements would outline how the data is shared, what types of data are included, and how it will be protected. Indigenous governments would assume control of the copy of the personal data they receive and be responsible for protecting it.

The federal government program would also retain control and keep its own copy of the data to continue running its program. Other provisions, such as how the data will be stored, retained, used and disclosed, could be agreed upon between the Indigenous government and the federal government. A public registry of these agreements would be published to support transparency and consistency across programs.

If no agreement is in place, Indigenous governments could continue to obtain data from institutions through the provision currently in the Act that allow institutions to disclosure the data. These provisions are set out in subsection 8(2) of the Privacy Act.

Benefit

The proposal would support Indigenous data sovereignty and allow Indigenous governments to have greater access to the personal data of their citizens. However, the utility of the datasets will only be as good as the participation rates of the citizens of the Indigenous governments.

Description

Under the Privacy Act, the Privacy Commissioner can only make only non-binding recommendations for access requests and most privacy violations. In contrast, the Information Commissioner has binding order-making powers under the ATIA.

As part of the incorporation of personal data requests into the ATIA (in proposal 15), the Commissioner could exercise their existing order-making powers that are legally binding. This proposal considers corrective action plans (CAP) for matters related to the management of personal data.

When an investigation results in a Report of Findings, this proposal considers that the Commissioner could require institutions to develop and publish a CAP. Institutions could also be required to publish a follow-up report outlining progress in implementing the CAP. If an institution fails to comply, the Commissioner could refer the matter to the Federal Court. If there is disagreement, the institution could also seek a review of the matter in Federal Court.

Some exceptions to publication requirements may be needed. For example, publishing certain information could interfere with law enforcement or national security. In these cases, institutions must be able to explain and demonstrate to the Commissioner why the information was not published. Government should be transparent by default and only withhold information when it is truly necessary.

Furthermore, the Privacy Act requires the Privacy Commissioner to investigate every complaint received, regardless of whether it is frivolous and vexatious. With the integration of personal data requests into the ATIA (in proposal 15) there would be discretion to refuse or cease to investigate an access complaint in certain circumstances. This authority would be extended to complaints regarding the management of personal data and correction requests.

Benefit

Providing the Commissioner with binding order-making powers for CAP would strengthen oversight and enforcement, ensuring that institutions take meaningful action when privacy requirements are not met. The publication of the CAP and implementation report by the institutions would create accountability. These measures would improve compliance and enhance public trust by making corrective measures visible and enforceable. Moreover, the discretion to decline or discontinue complaints would allow for a more strategical and effective management of the caseload, making the best use of limited resources.

Description

The Privacy Act does not currently authorize the Commissioner to share information with other oversight bodies, even when collaboration would support investigations or coordinated enforcement. This limits the Commissioner’s ability to address privacy issues that involve multiple jurisdictions or regulators.

This proposal considers amending the Act to allow the Commissioner to share information, including personal data, with other regulatory and oversight bodies under defined conditions. This would include federal review bodies, provincial and territorial regulators, and international counterparts, where necessary to advance the Commissioner’s mandate in the public interest.

Benefit

Allowing the Commissioner to collaborate and share information would help with investigations and enforcement when privacy issues involve more than one jurisdiction. It would also support best practices in oversight, especially where shared responsibilities exist across sectors like law enforcement, financial regulation, and health.

Description

When personal data is de-identified, it means it has been changed so that it no longer directly identifies a person. Sometimes this is used as a safeguard to protect the data internally and sometimes it is used when sharing a dataset outside the program.

When de-identified data is shared, there is a possibility that someone could try to re-identify individuals by combining de-identified data with other information. This poses serious privacy risks, especially when sensitive data is involved. As such, some jurisdictions prohibit re-identification and impose penalties.

This proposal considers introducing offences for individuals or entities that intentionally re-identify data that has been de-identified, except where re-identification is permitted by law or is necessary as a matter of course for specific purposes such as investigations, national security, or other narrowly defined circumstances in regulations. Incidental or unavoidable re-identification that occurs during legitimate processing would not be considered an offence.

Benefit

Introducing offences for unauthorized re-identification would send a strong signal that privacy violations will not be tolerated. It would help protect Canadians’ personal data, build trust in data sharing practices, and support responsible innovation. By deterring misuse, this measure would also encourage institutions to share de-identified data more confidently, enabling stronger analysis of de-identified data.

Description

Under the current Privacy Act, individuals can ask the Federal Court to review decisions related only to access to their personal data. If their privacy rights are violated in other ways, such as improper collection, use, or disclosure of their data, they have no direct legal recourse under the Privacy Act.

This proposal considers expanding the Federal Court’s authority to allow individuals and the Commissioner to seek remedies for a broader range of privacy violations. It would also clarify further recourse options for the mishandling of personal data, ensuring that institutions are held accountable when they fail to comply.

Benefit

Expanding judicial remedies would give Canadians a meaningful way to enforce their privacy rights and seek redress when those rights are violated. It would strengthen accountability across federal institutions and ensure that privacy protections are backed by enforceable legal consequences.

Description

Unlike the ATIA, which requires a mandatory review every five years, the Privacy Act does not include a built-in obligation for regular legislative review. This has contributed to the Act falling behind modern privacy standards, other jurisdictions and public expectations.

Although section 75 allows for review by a parliamentary committee, past reviews have not led to meaningful updates. Parliamentary committees have repeatedly recommended modernizing the Privacy Act, including reports in 1987, 2009, and 2016. However, committees cannot introduce legislation.

This proposal considers introducing a mandatory review cycle. Similarly to section 93 of the ATIA, the amendment should require the designated Minister to conduct a comprehensive review every five years. Giving this responsibility to a single Minister would make accountability clear and increase the likelihood that recommendations lead to real legislative change.

Benefit

This change would align the Privacy Act with the ATIA and help keep both laws current and responsive to new technologies and privacy risks. A regular, Minister-led review cycle would support timely updates, strengthen accountability, and build public trust.