Report to Parliament Concerning Substantially Similar Provincial Legislation

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

May 2002

The Privacy Commissioner of Canda
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 995-8210, 1-800-282-1376
FAX (613) 947-6850
TDD (613) 992-9190

© Minister of Public Works and Government Services Canda 2002
Cat. No. IP34-II/2002
ISBN 0-662-66621-6


May 2002

The Honourable Daniel Hays
The Speaker
The Senate of Canada


Dear Mr. Hays:

I have the honour to submit to you my Report to Parliament Concerning Substantially Similar Provincial Legislation.

Under the Personal Information Protection and Electronic Documents (PIPED) Act, I am required to report annually to the Parliament of Canada on the extent to which the provinces have enacted legislation that is "substantially similar" to the PIPED Act.

Although I touched on this issue in my 2000-2001 Annual Report to Parliament, this is my full report on the matter to date.


Yours sincerely,

George Radwanski
Privacy Commissioner of Canada


May 2002

The Honourable Peter Milliken
The Speaker
The House of Commons


Dear Mr. Milliken:

I have the honour to submit to you my Report to Parliament Concerning Substantially Similar Provincial Legislation.

Under the Personal Information Protection and Electronic Documents (PIPED) Act, I am required to report annually to the Parliament of Canada on the extent to which the provinces have enacted legislation that is "substantially similar" to the PIPED Act.

Although I touched on this issue in my 2000-2001 Annual Report to Parliament, this is my full report on the matter to date.

Yours sincerely,

George Radwanski
Privacy Commissioner of Canada


Introduction

Subsection 25(1) of the Personal Information Protection and Electronic Documents (PIPED) Act requires me to report annually to the Parliament of Canada on the "extent to which the provinces have enacted legislation that is "substantially similar" to the PIPED Act.

In my 2000-2001 Annual Report to Parliament, which I tabled on December 12, 2001, I touched briefly on how I propose to interpret "substantially similar" and provincial legislative initiatives to regulate the private sector. I am now reporting more fully on the matter of substantially similar provincial legislation.

As I discuss below, every province has sectoral laws that contain provisions providing limited protection of personal information and some provinces have passed more detailed legislation dealing with personal health information. These sector-specific laws provide important but fragmentary protection.

A few provinces have taken preliminary steps towards introducing comprehensive legislation to control the collection, use and disclosure of personal information in the private sector.

Other provinces may be considering similar legislation. Such legislation would subsume some of these sector-specific laws. Until it becomes clearer which provinces will pass such legislation, I will refrain from commenting on this sector specific legislation.

However, I will take this opportunity to provide my assessment of Quebec's comprehensive private sector legislation, the Act Respecting the Protection of Personal Information in the Private Sector.

Background

Paragraph 26(2)(b) of the PIPED Act gives the Governor in Council the power to:

"if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province."

The intent of this provision is to allow provinces and territories to regulate the personal information management practices of organizations operating within their borders.

Once the Governor in Council has issued an Order declaring legislation to be substantially similar, only personal information that flows across provincial or national borders will be subject to the PIPED Act. The PIPED Act will continue to apply within a province to the activities of organizations that are under federal jurisdiction such as banking, broadcasting, telecommunications and transportation.

The PIPED Act does not provide any explicit guidance in terms of the criteria to be used in determining whether or not legislation enacted by a province is substantially similar. Nor does the Act provide any guidance in terms of the process that would trigger a determination of substantially similar.

My Determination of "Substantially Similar"

In assessing provincial legislation, I will interpret substantially similar to mean equal or superior to the PIPED Act in the degree and quality of privacy protection provided. The federal law is the threshold or floor. A provincial privacy law must be at least as good, or it is not substantially similar.

To be considered substantially similar, any provincial legislation will have to contain, at a minimum, the ten principles set forth in Schedule 1 to the PIPED Act. While I consider all ten principles of this code to be interrelated and equally important, I consider consent and access and correction rights, along with the reasonable person test to be the key components in making an assessment of substantially similar. In addition, any provincial law would need to provide for effective oversight and redress.

Consent
The federal law says that consent must be informed and that an organization may only collect, use or disclose personal information about an individual with the individual's consent except in certain limited circumstances that are set out in the Act.

After collection, personal information can only be used or disclosed for the purpose for which consent was given, except in certain circumstances that are set out in the Act.

Reasonable Person Test
The reasonable person test provides another important check on organizations. The law states that the collection, use, and disclosure of personal information must be limited to purposes that a reasonable person would consider appropriate in the circumstances.

This test prevents organizations from using overly broad or vague statements of the purposes for which information is being collected and from coercing individuals to give consent.

Access and Correction Rights
Individuals must have the right to access personal information that organizations have about them and to correct any information that is incorrect (or to have any disagreement noted and provided to any party who received the information).

Oversight
Where an individual is of the opinion that his or her privacy rights have been violated or that the privacy law has not been respected, the individual must have the ability to complain to a fully independent oversight body with the specific mandate to resolve complaints, thoroughly investigate, mediate, conciliate and make recommendations or issue orders. Such an oversight body also must have the full range of investigative powers to seize documents, enter premises, compel testimony and initiate audits of an organization's practices.

Redress
Following a complaint, and the issuance of my report, the federal Act allows the complainant (or myself directly) to apply for a hearing in the Federal Court of Canada. The complainant or I can ask the court to order the organization in question to correct its information handling practices and make public the steps it has taken to do so. The court can be asked to award damages to the complainant.

Decisions of the Federal Court can be appealed to the Federal Court of Appeal and with leave to the Supreme Court of Canada.

There must be corresponding redress provisions in any provincial legislation which purports to be "substantially similar".

Industry Canada's Process for Assessing Substantially Similar

Following discussions with my office, the Department of Industry published a notice in the Canada Gazette Part 1 (September 22, 2001) setting out the process that the department will follow for determining whether provincial/territorial legislation will be deemed substantially similar.

The process will be triggered by a province, territory or organization advising the Minister of Industry of legislation that they believe is substantially similar to the PIPED Act. The Minister may also act on his or her own initiative and recommend to the Governor in Council that provincial or territorial legislation be designated as substantially similar.

The Minister will seek the Privacy Commissioner's views on whether or not legislation is substantially similar and include the Commissioner's views in the submission to the Governor in Council.

The process also provides for an opportunity for the public and interested parties to comment on the legislation in question.

According to the Canada Gazette notice, the Minister will expect substantially similar provincial or territorial legislation to:

  • incorporate the ten principles in Schedule 1 of the PIPED Act;
  • provide for an independent and effective oversight and redress mechanism with powers to investigate; and
  • restrict the collection, use and disclosure of personal information to purposes that are appropriate or legitimate.

Provincial Public Sector Legislation

New Brunswick's Protection of Personal Information Act came into force in April 2001. Prince Edward Island's Freedom of Information and Protection of Privacy Act received Royal Assent on May 15, 2001, and will come into force in November 2002. With the introduction and passage of these two Acts, every province and territory in Canada with the exception of Newfoundland and Labrador now has statutory protection for personal information held by government departments and agencies.

Provincial Private Sector Legislation

To date, Quebec is the only province in Canada with comprehensive legislation that applies to personal information in the private sector. The Act Respecting the Protection of Personal Information in the Private Sector came into effect, with a few exceptions, on January 1, 1994. The legislation sets out detailed provisions that enlarge upon and give effect to the information privacy rights in Articles 35 to 41 of the Civil Code of Quebec.

Four other provincial governments -- New Brunswick, British Columbia, Manitoba and Ontario -- have explored legislative options for the comprehensive regulation of the collection, use, and disclosure of personal information in the private sector.

New Brunswick's Department of Justice issued Privacy Discussion Paper # 2 in May 1998. One of the purposes of the paper was to ask "whether data protection legislation is also needed in the private sector and, if so, what it should say." The first discussion paper dealt with public sector legislation.

The Manitoba Ministry of Consumer and Corporate Affairs released a discussion paper, The Protection of Personal Information in the Private Sector, in March 1999. This was followed up by a series of public meetings in communities throughout Manitoba.

The government of British Columbia released a discussion paper in October 1999, Protecting Personal Privacy in the Private Sector. A Special Committee on Information Privacy in the Private Sector held public hearings on the discussion paper in January 2000.

These discussion papers were issued by governments that have since been voted out of office. However, in February 2002, the new British Columbia Minister of Management Services did state that the government intends to introduce legislation to protect personal information held by the private sector.

The Government of Ontario released a discussion paper in July 2000 on a proposed Ontario privacy act. This was followed by draft legislation that was issued for comments on February 4, 2002. The new legislation is called the Privacy of Personal Information Act, 2002.

The document released by the Ontario Ministry of Consumer and Business Services is both draft legislation and a consultation paper. Individuals and organizations were invited to comment on the legislation until March 31, 2002. There are 19 sets of questions throughout the document to help individuals and organizations frame their comments.

The proposed legislation will apply to the private sector, the health sector, and organizations such as charities, professional associations, religious groups and universities. The legislation will not apply to personal information collected, used or disclosed for personal non-commercial purposes or to personal information an organization collects, uses or discloses for artistic, journalistic or literary purposes. Similarly, the PIPED Act does not apply to personal information collected, used or disclosed for these purposes.

Provincial Sector Specific Legislation

Many provincial sector specific laws include provisions dealing with the protection of personal information. Every province except New Brunswick has legislation dealing with consumer credit reporting. These Acts typically impose an obligation on credit reporting agencies to ensure the accuracy of the information, place limits on the disclosure of the information and give consumers the right to have access to, and challenge the accuracy of, the information.

Many Acts impose obligations limiting the disclosure of information. Several provinces have passed legislation that imposes restrictions on the disclosure of personal information by private investigators. Laws governing credit unions typically have provisions dealing with the confidentiality of information relating to members' transactions. There are a large number of provincial Acts that contain confidentiality provisions concerning personal information collected by professionals.

The Health Sector
The provinces of Alberta, Manitoba and Saskatchewan have all passed health-specific privacy legislation. The legislation in Manitoba and Alberta is currently in force. Saskatchewan has not announced when its legislation will come into force.

All three laws establish rules for the collection, use and disclosure of personal health information. They each set out rights of access and correction as well as the right to request a review by an oversight body, who can investigate complaints.

These laws apply to personal health information held by provincial government ministries, hospitals, regulated health professions (such as physicians, pharmacists, dentists, registered nurses), laboratories and other health care facilities.

Quebec's Act Respecting the Protection of Personal Information in the Private Sector covers health information in the private sector. It applies to all enterprises in Quebec, including private sector organizations that deliver health services, as well as any professional who operates a practice. Quebec's Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information applies to the remainder of the health sector.

British Columbia does not have specific health sector legislation, but its public sector legislation, the Freedom of Information and Protection of Privacy Act, covers health information held by all publicly funded health organizations and health care providers, including clinics, universities and hospitals.

In 1995 the scope of the Act was expanded to include all self-governing professional bodies. These bodies include the College of Physicians and Surgeons, the College of Dental Surgeons, the College of Pharmacists, Registered Nurses Association and the Health Professions Council. Practitioners in private practice and private clinics and laboratories fall outside the scope of the Act.

In December 2000, Ontario introduced Bill 159, the Personal Health Information Privacy Act. This bill died on the order paper when the provincial legislature prorogued on March 2, 2001.

Ontario has now decided to include health specific provisions in its general private sector legislation, the Privacy of Personal Information Act, 2002. The draft Ontario legislation will apply to all health care providers except aboriginal and spiritual healers, and midwives working within their own communities.

The PIPED Act will not apply to the intraprovincial collection, use or disclosure of personal information in the course of commercial activities by organizations subject to provincial law until January 1, 2004. As January 1, 2004 approaches, the intentions of the provinces may become clearer.

Against this background, I will now turn to commenting on the only comprehensive provincial private sector legislation currently in effect, Quebec's Act Respecting the Protection of Personal Information in the Private Sector.

Quebec's Act Respecting the Protection of Personal Information in the Private Sector

Quebec's Act Respecting the Protection of Personal Information in the Private Sector is structured very differently from the PIPED Act. Nonetheless, the overall thrust and the general intent of the two Acts are similar. Both Acts are based on the Organization for Economic Co-operation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Information.

The two Acts are generally similar in terms of scope and application: the definitions of personal information are similar; both apply to employee information; and both have a journalistic exception, although the PIPED Act exception includes artistic or literary purposes. The most significant difference in terms of application is that the Quebec legislation also applies to non-commercial organizations. (The Quebec legislation uses the term "enterprises" and persons. I have used the term organizations for the sake of consistency.)

Legislation has been introduced to amend the Quebec Act. The most significant proposed amendments include:

  • Personal information held by professional bodies will be covered;
  • An organization must take special measures to help individuals with disabilities gain access to their information;
  • An organization may charge for special measures taken to provide access;
  • Consent is not required for disclosures for archival purposes;
  • Consent is not required for disclosure of information that is over 100 years old or relates to an individual who has been dead for over 30 years;
  • No health information can be disclosed without consent in a way that identifies an individual unless the information is over 100 years old;
  • Consent is not required for the disclosure of personal information considered by law to be public; and
  • An organization's obligation to ensure compliance with the Quebec legislation when disclosing information outside Quebec extends to any information not just that of Quebec residents.

On balance, the proposed amendments, if passed, will strengthen the legislation with the exception of new disclosures without consent. However, these disclosures are generally consistent with the PIPED Act.

In addition to the Quebec legislation and the provincial public sector legislation, the Quebec Civil Code and the Quebec Charter of Human Rights and Freedoms provide important privacy rights. The Civil Code was completely updated in 1993. Articles 35 to 41 of the Code deal specifically with privacy protection. Articles 35 and 36 address territorial privacy, for example stalking, and a general privacy tort. Articles 37 to 41 contain broad data protection principles such as limiting collection, requirements for consent, and access and correction rights.

Assessment of Substantially Similar

In assessing the legislation, I have looked for the ten principles set forth in Schedule 1 to the PIPED Act. I have placed particular emphasis on five components of the PIPED Act: consent, the reasonable person test, access and correction rights, oversight, and redress.

The Ten Principles
All of the ten principles are readily apparent in the Quebec legislation except for the accountability principle and the openness principle.

The accountability principle states:

"An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles."

The openness principle states:

"An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information."

There is no provision in the Quebec legislation that specifically requires an organization to designate an accountable individual. However, the legislation does establish a clear accountability process. Organizations can only collect information for a serious and legitimate purpose; they are required to protect the information; and they can be held accountable if they fail to abide by the requirements in the legislation.

There is no specific requirement in the Quebec legislation that organizations be "open about their policies and practices". There are two sections in the Quebec legislation that address openness indirectly. Section 79 requires "personal information agents" -- credit reporting agencies -- to make their activities known to the public by means of notices published periodically in the press. Section 8 requires an organization, when collecting information from an individual, to inform the individual of the object of the file, the use that will be made of the information, the categories of person within the organization who will have access to the information, the place where the file will be kept, and his or her access and correction rights.

Consent

The PIPED Act requires:

"The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate." (Principle 4.3)

"Consent is required for the collection of personal information and the subsequent use or disclosure of this information." (Principle 4.3.1)

The Quebec legislation states:

"Any person collecting personal information relating to another person may collect such information only from the person concerned, unless the latter consents to collection from third persons." (section 6)

"Consent to the communication or use of personal information must be manifest, free and enlightened, and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.

Consent given otherwise than in accordance with the first paragraph is without effect." (section 14)

Section 14 of the Quebec legislation does not mention collection, suggesting that consent is not required for collection. However, section 6 requires that information must be collected from the person concerned unless the latter consents to collection from third parties, thus effectively providing for consent. (If the information is being provided by the person concerned, consent is implied.) As well, an amendment has been proposed that would add the term collection to section 14. If passed, this amendment would bring a highly welcome element of additional clarity.

The term "manifest" in section 14 of the Quebec legislation means clear, and unequivocal and precise. The term enlightened is generally equivalent to the requirement in the PIPED Act that consent must be accompanied by knowledge of the purpose(s) for which the information is to be used (Principle 4.3.2). The Quebec legislation requires that consent be free: the PIPED Act (Principle 4.4.2) states that consent for collection must not be obtained through deception while Principle 4.3.3 states that an organization cannot require someone to consent to collection, use or disclosure beyond that required for explicitly specified purposes.

On balance, the general consent requirement in the Quebec legislation is at least as strong as in the PIPED Act.

Both the PIPED Act and Quebec's Act have exceptions allowing collection, use or disclosure without consent.

The Quebec legislation provides that an organization may only collect personal information from a third party without consent if the law so authorizes, or if the personal information is being collected for a serious and legitimate reason. In the latter case, one of the following conditions must apply: the information cannot be collected from the individual concerned "in due time" or collection from a third party is necessary to ensure accuracy.

Unlike the PIPED Act, the Quebec legislation does not contain any clearly defined circumstances where information can be used without consent. However, some of the disclosures without consent discussed below, such as the nominative lists, information disclosed for research purposes or for the purpose of recovering a debt, also involve a use without consent.

With respect to disclosure without consent, the PIPED Act lists 14 circumstances, the Quebec legislation slightly fewer. One noteworthy difference is the nominative list exception in the Quebec legislation. A nominative list is simply a marketing list -- names, addresses and telephone numbers. The Quebec legislation allows an organization to communicate a nominative list to a third party without consent, provided a contract prevents the information from being used for any purpose other than "commercial or philanthropic prospection", the people on the list have a chance to opt out, and the communication does not "infringe upon the privacy of the persons concerned". This last qualification is presumably meant to address situations in which the source of the list, for example a magazine, might potentially reveal sensitive information such as a medical condition.

In some cases, when information is disclosed without consent, for example for research purposes or for the recovery of debts, the Quebec legislation requires that these disclosures be entered in the individual's file. Under the PIPED Act, an organization has to inform the Commissioner before information is disclosed, without consent, for statistical, scholarly or research purposes. More generally, Principle 4.9.1 requires an organization to provide, upon request, an account of third parties to which personal information has been disclosed.

Both pieces of legislation have relatively broad exemptions allowing disclosure without consent for law enforcement purposes.

On the whole, the situations when consent is not required for collection, use or disclosure are roughly similar in the two Acts.

Access and Correction Rights
The Quebec legislation has a strong right of access. In response to a written request, an organization must "confirm the existence of the file and communicate to the person any personal information concerning him".

An organization must reply to a written access or rectification request within 30 days and there is currently no right of extension.

(The PIPED Act allows for an extension on limited grounds provided the individual is informed.) No fee can be charged for access to the information, but a reasonable charge can be required for reproduction or transmission of the information.

Certain exceptions to access apply. The widest general exception is set out in Article 39 of the Civil Code that allows access to be denied when there is a "serious and legitimate reason for doing so". The other access exceptions in the Quebec legislation are similar to those in the PIPED Act. The Quebec legislation does not contain a "confidential commercial information" exception as is found in the PIPED Act.

The Commission's public order remedy for access is quick, can be held in the applicant's county of residence and is only used if the Commissioner cannot mediate the dispute.

On balance, the access and correction rights under the Quebec legislation are at least as strong as under the PIPED Act.

With respect to correction, where there is a disagreement relating to a request for correction, the organization holding the file must prove that the file need not be rectified. Under the PIPED Act, the burden of proof lies with the individual.

Oversight
La Commission d'accès à l'information (the Commission) is vested with the oversight authority to monitor the operation of the legislation.

The Commission has the authority to:

  • receive complaints;
  • initiate investigations;
  • compel the production of information;
  • enter premises;
  • examine and make copies of relevant information;
  • determine its own investigative procedures;
  • mediate disputes;
  • refuse to examine a matter it considers frivolous or made in bad faith;
  • recommend remedial measures that are appropriate to ensure the protection of the personal information;
  • order remedial measures;
  • fix time limits for the implementation of these measures;
  • disclose information about an organization's non-compliance; and
  • issue final decisions on matters of fact.

The Commission is required to render a decision in writing concerning every disagreement submitted to it.

The Commission has all the powers of a court of law.

The Privacy Commissioner's authority under the PIPED Act is similar except that the Commissioner cannot issue orders.

The Quebec legislation gives the Commission strong oversight powers that are at least equal to those of the federal Privacy Commissioner under the Act.

Redress
As discussed above, the Commission has extensive powers. In terms of redress, these include the powers:

  • to make any order it considers appropriate to protect the rights of the parties and rule on any issue of fact or law;
  • to order a person carrying or an enterprise to communicate or rectify personal information or refrain from doing so;
  • after an inquiry, to recommend or order the application of such remedial measures as are appropriate to the protection of personal information; and
  • to designate a person to "attempt to bring parties to an agreement".

Any order of the Commission is enforceable as a court order.

The Commission's orders can be appealed to the Court of Quebec, with leave, on any question of law or jurisdiction. The decision of the Court of Quebec is without appeal.

Organizations that collect, hold, communicate to third persons or use personal information in contravention of the Act are liable to fines of $1,000 to $10,000 for an initial offence and fines of $10,000 to $20,000 for a subsequent offence. In the case of personal information agents (organizations that maintain and disclose credit files and reports), the fines range from $6,000 to $12,000 for a first offence and from $10,000 to $20,000 for a subsequent offence.

Under the PIPED Act there are three offences subject to a fine:

  • failing to retain information that is the subject of an access request;
  • dismissing or harassing an employee who is a whistleblower; and
  • obstructing the Commissioner in the course of an investigation or an audit.

Offenders can be fined up to $10,000 on summary conviction or up to $100,000 on indictment.

Wronged individuals can seek redress and damages under either the Civil Code or Quebec's private sector legislation, except for matters relating to access and correction rights. The Civil Code specifically transfers responsibility on this matter to the legislation. Seeking redress under the Civil Code involves launching a lawsuit, with all the costs and possible rewards this entails. Seeking redress under the Act is much easier and less costly, but not necessarily as effective, far-reaching or financially rewarding, assuming one wins.

The PIPED Act gives the Privacy Commissioner considerable latitude in terms of assisting individuals who have filed a complaint and who wish to pursue the matter in the Federal Court.

Comparing the redress provisions in the two Acts is difficult because of the role of the Civil Code and because the powers and the roles of the Commission and the Privacy Commissioner differ. Nonetheless, I believe that the redress provisions in the Quebec legislation are equally effective.

Reasonable Person Test
The reasonable person test in the PIPED Act, subsection 5(3), states:

"An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances."

One of the reasons the reasonable person test was added during the legislative process was to prevent organizations from using overly broad or vague purpose statements and then collecting information to fulfil these broad purposes. The reasonable person test effectively addresses a weakness in the CSA Code (Schedule 1). Even with consent, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

The Quebec legislation does not have a reasonable person test as such, but it does state that an organization may only establish a file on another person for a serious and legitimate reason and that the information collected must be necessary for the defined object of the file (sections 4 and 5).

Section 9 states that an organization shall not refuse to respond to a request for a good or a service or a request relating to employment because an applicant refuses to disclose personal information, unless the information is necessary for performance of a contract or the collection is authorized by law. In case of doubt, personal information is considered to be non-necessary. This last provision shifts the burden of proof to justify collection on to the organization.

Although the Quebec legislation does not use the term "reasonable person", I believe that the provisions cited above are similar in intent and effect in terms of limiting unnecessary collection, use or disclosure.

Conclusion

Based on the foregoing analysis, I believe that Quebec's Act Respecting the Protection of Personal Information in the Private Sector legislation is substantially similar to the PIPED Act in terms of the extent to which it protects personal information.

Date modified: