Legal Framework

Privacy Act (R.S.C., 1985, c. P-21)

Link: Privacy Act

Overview

• The Privacy Act is the law that sets out the privacy rights of individuals in their interactions with the federal government. It governs how government institutions collect, use and disclose personal information. It also gives individuals the right to access their personal information held by the federal government.
• The Act applies to all federal government institutions listed in the schedule to the Act as well as to Crown corporations. The OPC is subject to the Act.
• The OPC investigates complaints against government institutions under the Act and reports its findings and recommendations at the conclusion of its investigation to the complainant and respondent institution. The OPC also has the authority to review a government institution’s compliance with the Act on its own initiative.
• An individual, or in certain circumstances the OPC, may ask the Federal Court to review a government institution’s decision to refuse to grant them access to their personal information at the conclusion of the OPC’s investigation. There is no express mechanism to take other matters – such as a government institution’s collection, use or disclosure of personal information – to Federal Court under the Act.
• An ad hoc Commissioner, appointed by the OPC, reviews the OPC’s own compliance with its obligations under the Act.
• The President of the Treasury Board is responsible for, among other things, issuing directives and guidelines to government institutions regarding the operation of the Act and regulations.
• The Minister of Justice is responsible for certain regulations under the Act and for the process to reform the Act.

Key Provisions

• Government institutions must only collect personal information that relates directly to an operating program or activity – section 4.
• Further, government institutions are generally required to collect personal information that is to be used for an administrative purpose directly from the individual concerned – section 5(1).
• Individuals are required to be informed of the purposes of collection, subject to certain exceptions – section 5(2).
• Government institutions must only use and disclose personal information with consent, for the purposes for which information was obtained or for a consistent purpose, or pursuant to an exception – subsections 7-8.
• Personal information that is used for an administrative purpose is to be retained for a prescribed period and must be kept sufficiently accurate – subsections 6(1)-6(2).
• Government institutions are required to dispose of personal information in accordance with any directives or guidelines issued by the President of Treasury Board – section 6(3).
• Government institutions are required to include personal information in personal information banks and to describe the content of those banks in an index published by the President of the Treasury Board – subsections 10-11.
• Government institutions must provide an individual access to their personal information subject to certain exceptions – subsections 12-28.

Further reading

• Summary of privacy laws in Canada
• The Privacy Act in brief
• What to expect during a complaint investigation under the Privacy Act

Prepared by: Legal Services Directorate

---

Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

Link: Personal Information Protection and Electronic Documents Act

Overview

• The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private sector privacy law. It sets out the ground rules for how businesses must handle personal information in the course of commercial activities. PIPEDA also protects the personal information of employees of federal, works undertakings and businesses (e.g. banks, telecommunications companies, railways).
• PIPEDA sets out “fair information principles” in its Schedule 1, with which organizations must comply, pursuant to section 5(1).
• The principles were first developed as a model code by the Canadian Standards Association.
• It has been said that “[t]he Code is the heart of the Act, and it is essential that it be read first to understand the operation of the provisions in the body of the legislation.”^{Footnote 1}
• Part 1 of PIPEDA sets out additional obligations and modifications to the Schedule.
• The OPC investigates complaints and carries out audits under PIPEDA, and issues reports setting out its findings and recommendations. At the conclusion of an investigation, the complainant, or in some circumstances the OPC, may seek enforcement in Federal Court.
• PIPEDA applies to all organizations engaged in commercial activities, with some exceptions, that have a real and substantial connection to Canada. In provinces that have been declared to have substantially similar legislation, it does not apply to the collection, use or disclosure of personal information within the province but continues to apply to personal information that is collected, used and disclosed inter-provincially or internationally. See: Provincial laws that may apply instead of PIPEDA.
• The Minister of Innovation, Science and Economic Development is the responsible minister for PIPEDA.

Key Provisions

• Organizations must have appropriate purposes for the collection, use and disclosure of personal information – section 5(3).
• Organizations are required to have valid consent for the collection, use and disclosure of personal information and identify their purposes in advance – Schedule 1, clauses 4.2, 4.3; section 6.1.
• However, organizations may collect, use and disclose personal information without consent in certain defined circumstances – subsections 7-7.4.
• Organizations are required to be accountable for the personal information they hold and to be open about their policies and practices – Schedule 1, clauses 4.1 and 4.8.
• Organizations must limit their collection of personal information to that which is necessary for their identified purposes and limit use and disclose of it to those purposes – Schedule 1, clauses 4.4 – 4.5). Information must not be retained longer than necessary – Schedule 1, clause 4.5.
• Organizations must ensure that personal information is sufficiently accurate – Schedule 1, clause 4.6.
• Organizations must have safeguards in place to protect personal information and must notify individuals and the OPC when there has been a breach of those safeguards that poses a real risk of significant harm – Schedule 1, clause 4.7; subsections 10.1-10.3.
• Organizations must provide individuals with access to their personal information upon request, subject to certain exceptions – Schedule 1, clauses 4.9 and subsections 8-10.
• Organizations must have a process to allow individuals to challenge an organization’s compliance with the principles in Schedule 1 – Schedule 1, clause 4.10.

Further reading

• Summary of privacy laws in Canada
• PIPEDA in brief
• PIPEDA fair information principles
• PIPEDA interpretation bulletins
• Guide to the PIPEDA complaint process

Prepared by: Legal Services Directorate

---

Access to Information Act (R.S.C., 1985, c. A-1)

Link: Access to Information Act

Overview

• The Access to Information Act (ATIA) provides a right of access to government records, subject to certain exemptions.
• The OPC is subject to the ATIA and must respond to access to information requests it receives in a timely fashion. The ATIA also requires that certain of the OPC’s records be published proactively.
• Compliance with the ATIA is overseen by the Information Commissioner and ultimately by the Federal Court.
• The Information Commissioner may consult the OPC, and in some cases is required to do so, when examining a government institution’s refusal to disclose personal information to a requester.

Key Provisions

• The OPC is required to refuse to disclose any record requested under the ATIA that contains information that was obtained or created by the OPC in the course of an investigation or audit – section 16.1(1). However, once the investigation or audit and all related proceedings, if any, are finally concluded, the OPC may not rely on this provision to refuse to disclose any record containing information created by or on behalf of the OPC in the course of an investigation or audit – section 16.1(2).
• The ATIA sets out procedures for the OPC to be consulted by the Information Commissioner during the course of their investigations and for the OPC to participate in subsequent Federal Court proceedings – subsections 35(2), 36(1.1), 36.2, 37(2), 41(4), and 41.2.

Supplementary Information

• The OPC and the Office of the Information Commissioner concluded a Memorandum of Understanding in 2020 to cover consultations between the two offices pursuant to investigations conducted pursuant to the ATIA.

Prepared by: Legal Services Directorate

---

Canada’s Anti-spam Legislation

An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23)

Link: Canada’s Anti-spam Legislation

Overview

• Canada’s anti-spam legislation (CASL) is the federal law dealing with spam and other electronic threats.
• The OPC shares responsibility for enforcing CASL with the Canadian Radio-television and Telecommunications Commission (CRTC) and the federal Competition Bureau.
• The CRTC is responsible for the substantive rules under CASL relating to the sending of commercial electronic messages, altering transmission data, and the installation of computer programs without consent.
• For the OPC, the main effect of CASL is the introduction of rules under PIPEDA relating to electronic address harvesting and spyware.
• CASL also provides the OPC with authority to coordinate its activities and cooperate with the CRTC, the Competition Bureau and international counterparts.

Key Provisions

• An organization may generally not rely on any exceptions to consent in PIPEDA when it collects and uses electronic addresses by use of a computer program (address harvesting) or when it collects and uses personal information through unlawful access of a computer system (spyware) – PIPEDA, section 7.1.

Further reading

• The OPC’s responsibilities under CASL

Prepared by: Legal Services Directorate

---

National Security and Intelligence Review Agency Act (S.C. 2019, c. 13, s. 2) and Security of Canada Information Disclosure Act (S.C. 2015, c. 20, s. 2)

Links:

• National Security and Intelligence Review Agency Act
• Security of Canada Information Disclosure Act

Overview

• The National Security and Intelligence Review Agency (NSIRA), established in 2019, has a statutory mandate to review the activities of the Canadian Security Intelligence Service and Communications Security Establishment.
• NSIRA is also mandated to review the national security and intelligence activities of other federal departments and agencies, and ministerial referrals. This includes, but is not limited to, the Royal Canadian Mounted Police the Department of National Defence, and the Department of Justice.
• NSIRA’s reviews include disclosures made by federal government institutions pursuant to the Security of Canada Information Disclosure Act (SCIDA) .
• The NSIRAA and the Privacy Act authorize the coordination of OPC investigations and NSIRA reviews.
• SCIDA’s statutory purpose is to “encourage and facilitate the disclosure of information between Government of Canada institutions in order to protect Canada against activities that undermine the security of Canada.”

Key Provisions

NSIRAA

• Subsections 15.1(1) of NSIRAA and 37(5) of the Privacy Act authorize coordination of NSIRA reviews and OPC investigations under s. 37 of the Privacy Act.

SCIDA

• Subsection 5(1) of SCIDA contains its own national security-related disclosure authority that permits disclosure to heads of scheduled federal institutions.
• Paragraph 5(1)(a) requires that the “disclosure will contribute to the exercise of the recipient institution’s jurisdiction, or the carrying out of its responsibilities, under an Act of Parliament or another lawful authority, in respect of activities that undermine the security of Canada”.
• Paragraph 5(1)(b), whose application the OPC was responsible for reviewing during the 2020 joint review with the NSIRA, requires that “disclosure […] not affect any person’s privacy interest more than is reasonably necessary in the circumstances.” [Redacted]

Supplementary Information

• In June 2021, NSIRA and the OPC signed a Memorandum of Understanding (MOU) to support the intention of the two offices to work collaboratively on issues of mutual concern (Memorandum of Understanding Regarding Coordination of Activities Between the Office of the Privacy Commissioner of Canada and the National Security and Intelligence Review Agency). The MOU sets out the procedures, roles and responsibilities for coordinating activities and exchanges of information in the course of collaboration between the OPC and NSIRA.

Prepared by: Legal Services Directorate

---

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (S.C. 2000, c. 17)

Link: Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Overview

• The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) requires organizations subject to the PCMLTFA to undertake certain compliance activities, such as client identification and record keeping activities. As well, certain transactions are required to be reported to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
• FINTRAC is required to comply with the Privacy Act and with specific obligations in the PCMLTFA relating to the collection, use and disclosure of information that it receives.
• Every two years, the OPC is required, pursuant to subsection 72(2) of the PCMLTFA, to review the measures taken by FINTRAC to protect information that it receives or collects under the PCMLTFA, and to report to Parliament on the results of the review.

Key Provisions

• Entities subject to the PCMLTFA are required to report suspicious transactions to FINTRAC – section 7.
• The PCLMTFA sets out which reports and information FINTRAC is to receive, assess and analyze, and when it may dispose of them – section 54.
• PIPEDA contains an exception to consent for disclosures to FINTRAC – PIPEDA, section 7(3)(c. 2).

Further reading

• 2020-2021 Annual Report to Parliament, Appendix 6: Review of the Financial Transactions and Reports Analysis Centre of Canada
• PIPEDA and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act

Prepared by: Legal Services Directorate

---