Global Data and Cyber Handbook

Canada

Select a Topic
Start Comparison
Key Definitions
Jump to
Key Definitions Start Comparison
Personal data

Last review date: 18 December 2024

Personal data generally means information about an identifiable individual. Information will generally be about an "identifiable individual" where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other information.

Sensitive/special personal data (including personal data subject to additional protections/ restrictions/breach notification obligations)

Last review date: 18 December 2024

Sensitive data includes:

☒         personal data revealing racial or ethnic origin

☒         personal data revealing political opinions

☒         personal data revealing religious or philosophical belief

☒         genetic data

☒         biometric data for the purpose of uniquely identifying a natural person or biometric templates

☒         data concerning health/medical information

☒         data concerning a natural person's sex life or sexual orientation

☒         financial information

☒         government identity card or number information

☒         personal data regarding an individual's criminal convictions or record

☒         passwords

Controller vs Processor

Last review date: 18 December 2024

Do the privacy laws distinguish between controllers/owners and processors/agents? Whereby:

  • The controller/owner is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • The processor/agent is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Answer: No

Canadian privacy laws do not define the concepts of controllers and processors. Instead, the principle of accountability dictates that an organization is responsible for personal data that it collects, uses, or discloses. Regardless of whether an organization determines the purposes and means of processing personal data or processes personal data on behalf of another organization, the organization will generally be subject to the same requirements in respect of its collection, use and disclosure of personal data. However, we note that if an organization transfers personal data to a third party for processing, the transferring organization remains responsible for the personal data and must use contractual or other means to provide a comparable level of protection while the data is being processed by a third party.

{{ $store.state.loadingScreen.message }} ...