Most Canadians hear about “personal data” every time another breach hits the news, but few know exactly what the term includes or who is supposed to protect it. This guide breaks down what personal data actually is under Canadian law, why companies want it, and what is really at stake when it’s collected, shared, or stolen.
1. Why This Matters
Every service we use—banks, apps, telecom providers, hospitals, websites—collects pieces of our identity. Canada has clear definitions of personal information under PIPEDA (Personal Information Protection and Electronic Documents Act) and various provincial privacy laws, yet most people don’t know how broad the definition really is. When data is leaked or misused, the consequences can follow someone for years.
2. What Counts as “Personal Data” in Canada
Under PIPEDA and provincial acts (like Alberta’s PIPA, BC’s PIPA, and Québec’s Law 25), personal information means any information about an identifiable individual. It doesn’t have to be sensitive. It simply has to identify you directly – or be combined with other data to do so.
Examples of personal data in Canada include:
- Your name, phone number, home address, email
- Government-issued IDs (SIN, driver’s licence, passport)
- Financial information (bank accounts, credit cards, transaction history)
- Health information
- Biometric identifiers (facial images, fingerprints, voiceprints)
- Online identifiers (IP address, device ID, advertising ID)
- Employment records
- Purchase history
- Location data and travel patterns
- “Inferred data” — predictions about behavior, risk scores, interests, and habits
If the information can point to you, it’s personal data under Canadian law.
3. Why Companies Want This Data
Personal data is valuable because it enables:
- Targeted advertising
- Risk assessments (insurance, lending, fraud detection)
- Personalized services
- Behavior tracking and analytics
- Product development
- Resale to third-party data brokers
In short: your data is a revenue stream.
4. What’s Really at Stake
Once your data is collected, it can be:
- Breached (common)
- Shared with partners (usually invisible to you)
- Used to profile your behaviour
- Sold or traded behind the scenes
If it leaks, it can lead to:
- Identity theft
- Financial fraud
- Long-term privacy erosion
- Harassment or targeted scams
- Loss of control over your digital identity
And critically, you cannot get leaked data “back.” You can change a password, but not your birthdate, biometrics, or history.
5. Who Is Supposed to Protect Your Data in Canada
Privacy protection is not the individual’s job alone. In Canada, there are multiple regulators:
Federal
Office of the Privacy Commissioner of Canada (OPC) – Enforces PIPEDA for most private-sector organizations and the Privacy Act for federal government institutions.
Provincial
These provinces have their own private-sector privacy laws enforced by their privacy commissioners:
Québec – Commission d’accès à l’information (Law 25)
Alberta – Office of the Information and Privacy Commissioner (OIPC Alberta)
British Columbia – Office of the Information and Privacy Commissioner of BC
All other provinces and territories fall under PIPEDA at the private-sector level. These regulators – not you – are responsible for ensuring organizations follow the law, secure data properly, report breaches, and handle complaints.
