OCLC and Canadian privacy law

Privacy laws across Canada continue to evolve and expand.  OCLC maintains a comprehensive global privacy program, compliant with all applicable Canadian privacy laws, including PIPEDA and provincial laws such as the Quebec Privacy Act.

OCLC maintains a data centre in Toronto to host software for its Canadian library customers and securely store their patron data.

Privacy at OCLC

We are committed to the PIPEDA fair information principles.  To submit requests to exercise your personal data rights, please use the privacy request webform, or email [email protected].

OCLC maintains a worldwide privacy program, established to safeguard the personal information of our customers and their patrons.  Inquiries or complaints regarding OCLC’s protection of personal information can be directed to its Data Protection Officer:

Porter Wright Morris & Arthur LLP
Attn: Katja Garvey
[email protected]

Detailed information on OCLC’s collection and use of personal information is available in our Privacy Statement.

Global Privacy Program

OCLC’s privacy program is managed by its global legal staff, which has primary responsibility for safeguarding personal information.  In addition, an enterprise data governance body is established, which reports to executive management.  The program maintains certifications under the ISO/IEC 27018 and 27701 standards, which mandate internationally-recognized practices for the protection of personal information.  OCLC has established internal privacy and information security policies, which govern how we store and safeguard personal information, securely dispose of it, handle privacy-related inquiries and requests, manage privacy-related incidents, and comply with legal requirements in various jurisdictions worldwide.

Maintenance and Use of Personal Information at OCLC

OCLC stores personal information encrypted at rest in its data centres in Toronto and in other cities around the world.  Its technology infrastructure staff is supported by its global information security team, which monitors for and resolves security incidents.  Incidents which may involve the misuse or disclosure of personal information are referred to the legal team, which is responsible for investigating and resolving privacy incidents.  Role-based access to personal information is required for OCLC staff providing services directly to customers or maintaining software services.  All employees worldwide take annual privacy training on OCLC’s standards and practices, and are required to comply with internal rules for the safe handling and limited use of personal information.

Destruction of Personal Information at OCLC

All personal information held by OCLC is deleted according to our internal destruction schedule when it is no longer necessary to maintain.  Data destruction schedules may vary by system and type of information.  In addition, we comply with customers’ specific data destruction instructions and requirements.

Handling of Privacy Inquiries and Complaints

All privacy-related inquiries and complaints worldwide, whether received by the Data Protection Officer, OCLC’s customer support team, or through this website, are processed by our global legal staff.  This includes requests by persons to exercise their legal privacy rights.  All inquiries and complaints are managed by OCLC within its Privacy Information Management System, and are resolved in compliance with the requester’s local laws.

Last revision: October 31, 2023