Public sector
The federal Privacy Act: government-held personal information
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Canada has two federal privacy laws, and they are constantly confused. The one most businesses mean when they say "the privacy law" is PIPEDA. The Privacy Act is the other one — and it governs the government, not the private sector. You can read it in full at the Department of Justice: Privacy Act (R.S.C., 1985, c. P-21). This page explains what it does and how it differs from PIPEDA.
What the Privacy Act governs
The Privacy Act sets the rules for how federal government institutions — roughly 265 departments, agencies, and Crown corporations — collect, use, disclose, retain, and dispose of personal information. It also gives individuals the right to access the personal information the government holds about them and to request corrections. In other words, it is the public-sector counterpart to PIPEDA's private-sector rules: same broad goal of protecting personal information, applied to a completely different set of organizations.
Privacy Act vs PIPEDA: the distinction that matters
Keep the line clear, because your obligations depend on it:
- The Privacy Act — federal government institutions. Triggered by an institution's programs and activities, not by commerce. Source: laws-lois.justice.gc.ca/eng/acts/P-21.
- PIPEDA — private-sector organizations. Triggered by handling personal information in the course of commercial activity. Source: laws-lois.justice.gc.ca/eng/acts/P-8.6.
Both are administered by the same regulator, the Office of the Privacy Commissioner of Canada (OPC). That shared oversight is exactly why the two get muddled — and why some organizations are subject to both at once, which we come back to below.
Collection limitation and consistent use
The Privacy Act limits federal institutions to collecting personal information that relates directly to an operating program or activity, and generally requires collecting it directly from the individual. Once collected, information may only be used or disclosed for the purpose it was obtained or a consistent use — a use sufficiently related to the original purpose that the individual would reasonably expect it — unless a specific exception in the Act applies. The structure will feel familiar if you know PIPEDA's purpose-limitation and use-limitation principles; the wording and the exceptions differ because one governs government and the other governs business.
Access requests: Privacy Act vs Access to Information
Under the Privacy Act, you can ask a federal institution for the personal information it holds about you, and ask to have errors corrected. This is different from the Access to Information Act, which is the route for general (non-personal) government records. The two regimes are often administered by the same office within an institution and the request forms look similar, but the legal basis is different: Privacy Act for your own personal information, Access to Information for everything else.
Why a vendor can be caught by both regimes
If your company sells services to a federal department and processes personal information on its behalf, you can sit under both laws simultaneously. The government data you handle for the institution falls within its Privacy Act obligations, which your contract pushes onto you. Meanwhile, your own commercial handling of personal information — your customers, your staff, your marketing — remains governed by PIPEDA. Sorting out which obligations attach to which data is the first step; our guide to which privacy law applies helps, and when a government buyer sends a security and privacy questionnaire, the PIPEDA questionnaire guide shows how to answer the private-sector half.
Common questions.
What is the difference between the Privacy Act and PIPEDA?
They are two different federal laws with two different targets. The Privacy Act (R.S.C. 1985, c. P-21) governs how federal government institutions handle personal information. PIPEDA (S.C. 2000, c. 5) governs how private-sector organizations handle personal information in the course of commercial activity. Same regulator — the Office of the Privacy Commissioner of Canada oversees both — but the Privacy Act is about government, and PIPEDA is about businesses.
Who does the Privacy Act cover?
The Privacy Act applies to roughly 265 federal government institutions — departments, agencies, and Crown corporations listed in the Act's schedule. It does not cover provincial or municipal governments (which have their own public-sector privacy laws) and it does not cover private companies (that is PIPEDA's job). If you are a contractor processing personal information on behalf of a federal institution, the institution's Privacy Act obligations flow to you through your contract.
Can I get a copy of the personal information the government holds about me?
Yes. The Privacy Act gives individuals a right of access to their own personal information held by federal institutions, and a right to request correction of it. You make a request to the specific institution. This is distinct from the Access to Information Act, which is about general government records rather than your own personal information — though the two request processes look similar and are often administered together.
Does the same Privacy Commissioner handle the Privacy Act and PIPEDA?
Yes. The Office of the Privacy Commissioner of Canada (OPC) administers and enforces both the Privacy Act and PIPEDA. That is why a single organization — a vendor to a government department, say — can find itself answering to the same regulator under two different statutes at once: the Privacy Act for the government data it processes, and PIPEDA for its own commercial activities.