HOME 5 Data Governance 5 Legislation & the Duty of Privacy Protection


Any organization that collects and uses personal information has a duty to protect that information and prevent its misuse. SGIGs have the same duty. In this section we will explore some of the legal framework governing privacy protection in Canada and how it may apply to Indigenous governments. However, regardless of what legislation may apply, certain fundamental principles remain the same.

Principles of Privacy Protection

  • Informed consent: the individual should know what information is being collected, what it will be used for, and who to turn to if they think it is being misused.
  • Consistent use: how personal information is used needs to be consistent with the purpose it was gathered for.
  • No unauthorized disclosure: sharing of any personal information should only be done in accordance with the policies and legislation in place that govern what kinds of information can be shared and when. If no such laws or policies are in place, they must be developed.
  • The more sensitive the information, the more strict the protection measures must be.

Data Residency and the Cloud

If you are storing data in the cloud (servers accessed over the internet), you must be aware of data residency issues. Data residency refers to the physical location of your data. If the server is located outside Canada, your data will be subject to the laws of the country it is located in. For example, data stored on a server in the United States may be accessed by the United States government under the USA PATRIOT Act. Ask questions about where your data will reside when considering cloud-based data storage options and email servers.

SGIGs have jurisdiction over their administrative operations, including the management of records and information held by their government bodies. We strongly recommend that SGIGs develop their own policies and legislation for how to manage personal data about their citizens, and how to balance privacy protection and access to information—examples are provided below. Note that practices for data privacy and security are addressed in Data Security and Privacy.

There are also situations where federal, provincial, or territorial legislation may affect SGIGs. This is complicated legal territory, with many open questions. While this Toolkit can provide overviews and general guidelines, SGIGs must assess specific situations on a case-by-case basis. There are three key areas of legislation that affect data governance and management for SGIGs. These are privacy and access to information legislation, statistics legislation, and human rights legislation.

Below is a summary of how these types of legislation may affect SGIGs. More information can be found in the downloadable resource document “Legislation”.

Privacy and Access to Information Legislation

Privacy and access to information legislation are related. Both are fundamental principles of accountability and good governance. Privacy law protects an individual’s information from unauthorized access, and from being used for purposes other than why it was gathered or shared. These laws can also help ensure individuals’ human rights are respected and upheld. Access to information laws allow citizens to request information about the actions of their government and how government funds are being spent.

SGIG Privacy and Access to Information Laws

Some SGIG treaties include specific provisions about privacy and access to information laws. This may include requirements for laws to make information available to citizens and non-citizens and explains whose law has priority in the event of a conflict. We recommend you review your Final Agreement when developing laws and policies in this area.

Seven SGIGs have already passed privacy and access to information laws (see links below). While each law has unique elements, all work to ensure that Indigenous governments are transparent and accountable. The laws enable their citizens to access information held by the SGIG and explains the SGIGs’ duty to protect the personal information collected.

In addition, the Alberta First Nations Information Governance Centre has developed a Privacy Law Template, which also addresses access to information.

Provincial and Territorial Legislation

Each province and territory has its own access to information and privacy legislation that addresses how provincial/territorial public bodies and institutions manage personal information. All provinces and territories combine access to information and privacy protection for government bodies into a single statute.

Determining whether and how provincial/territorial and federal privacy legislation applies to SGIGs is not straightforward. Much depends on specifics such as: the details of each treaty or self-governing agreement; what legislation is in place in your province/territory; the kind of information that is being collected; and what agency is doing the collecting. This Toolkit does not provide complete details for all jurisdictions and all situations. Rather, some key factors and specific examples are provided to support your own local assessment.

Provincial/territorial laws do apply to local/municipal governments, universities, school boards, and healthcare agencies. This means these laws can affect an SGIG’s ability to obtain information from these organizations.

Only Alberta, British Columbia, and Québec have separate privacy statutes for private sector organizations. These laws can apply to SGIGs even though they are primarily intended for the commercial sector in those provinces. In B.C. for example, SGIGs are subject to the B.C. Personal Information Protection of Privacy Act (PIPA), because it applies to all organizations that are not provincial government bodies. SGIGs located in these provinces, who do not have their own privacy legislation, should review these statutes to see if they might apply.

BC: Personal Information Protection Act
Alberta: Personal Information Protection Act
Quebec: Act Respecting Protection of Personal Information in the Private Sector

Most provinces and territories have also passed separate privacy laws related specifically to health information.

BC: E-Health (Personal Health Information Access and Protection of Privacy) Act
Alberta: Health Information Act
Saskatchewan: Health Information Protection Act
Manitoba: Personal Health Information Act
Ontario: Personal Health Information Protection Act
Quebec: [no specific act in place]
New Brunswick: Personal Health Information Privacy and Access Act
Newfoundland and Labrador: Personal Health Information Act
Nova Scotia: Personal Health Information Act
Prince Edward Island: Health Information Act
Yukon: Health Information Privacy and Management Act
Northwest Territories: Health Information Act
Nunavut: [no specific act in place]

SGIGs that are collecting any health-related or medical information should review the relevant provincial/territorial law to determine how it may apply.

Federal Legislation

The Office of the Privacy Commissioner of Canada article Summary of privacy laws in Canada provides a high level summary of federal, provincial, and territorial privacy laws.

The Privacy Act applies to all federal government bodies, including ministries, federal crown corporations, and federal agencies such as Statistics Canada. It does not apply directly to SGIGs. This act directs how the federal government manages and protects personal information that it collects and provides individuals with the right to access information about themselves held by the federal government. The Access to Information Act, which also applies to federal government bodies, grants individuals the right to request access to records under the control of the federal government.

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to: private sector organizations that are not subject to provincial privacy legislation; organizations that collect personal information that crosses provincial or national boundaries; or organizations that are engaged in a “federal work, undertaking, or business” within the legislative authority of Parliament. There is case law that asserts that Indian Bands operating under the Indian Act are engaged in a federal undertaking. However, the extent to which PIPEDA applies to SGIGs remains unclear as it has not been specifically tested in case law.

In practice, it is best for SGIGs to develop their own legislation to address privacy and information access. This will explain the SGIG’s own authority and responsibilities when it comes to personal information that they collect.

Statistics Legislation

All provinces, territories and the federal government have similar statistics laws. Statistics statutes ensure that statistics are scientific, impartial, truthful, and reliable. Although these statutes do not impose any duty on SGIGs regarding research, it is useful to be aware of them and the criteria they provide for proper statistical reporting.

The federal Statistics Act gives Statistics Canada its mandate and guides how it collects and uses data about Canadians. The Act allows Statistics Canada to collect and use administrative data for statistical purposes.

To date, no SGIG has enacted their own statistics legislation.

Human Rights Legislation

Human rights legislation applies mainly to how socioeconomic data is used in decision making. We recommend you consider this legislation for the collection of data (especially in survey design). The legislation ensures that people’s human rights are not violated through discrimination. Relevant legislation includes:

The Community of Practice session video below is a presentation by Jennifer Jansen, Information Coordinator for Tsawwassen First Nation on the Tsawwassen First Nation Freedom of Information and Protection of Privacy Act (FIPPA).

For more videos covering content in the toolkit, see the Webinar Series and Community of Practice Videos pages.

Data Governance

Downloadable documents on this page