Legal information related to PIPEDA
Guide to Bill C-6
Beginning with his 1992-93 annual report the Privacy Commissioner has repeatedly urged governments to recognize that privacy rights should apply to public and private sector alike. Citing the explosion of computer technology, new advances in biotechnology and the blurring lines between the public sector (which has privacy laws) and the private sector (which does not), he encouraged the federal government to provide leadership.
In 1995 Canada's Information Highway Advisory Council called for flexible national privacy legislation based on the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. After public consultation, on October 1, 1998 the federal government introduced the Personal Information Protection and Electronic Documents Act (Bill C-54) in Parliament.
Part 1 of this act gives Canadians new legal rights when their personal information is collected, used or disclosed in the course of a commercial activity. The legislation addresses increasing public concerns over personal information practices of the private sector and establishes a new national privacy framework.
Part 1 will also help Canada meet new data protection standards set by the European Union that could otherwise hinder the flow of information to Canada. Quebec is currently the only jurisdiction in North America with a private sector data protection law that meets the EU requirements.
Parts 2 through 5 of the act facilitate the federal government's own use of electronic documents and establish a basis for the legal recognition of electronic documents and signatures. These elements of the act will further stimulate information highway growth and help achieve the government's stated goal of making Canada a world leader in electronic commerce by the year 2000.
When will Part 1 come into effect and to whom will it apply?
Part 1 comes into effect in two stages. Approximately one year after the act is passed, Part 1 will apply to companies subject to federal regulation such as banks, telephone companies, cable companies, broadcasters and interprovincial transportation companies, with oversight by the federal Privacy Commissioner. It will also apply to a number of federal Crown corporations not currently subject to the federal Privacy Act.
In this first stage, Part 1 will also apply to some interprovincial and international data transactions, particularly commercial lease, sale or exchange of customer lists or other personal data.
The second stage begins approximately four years after Part 1 is passed. At that time, Part 1 will also cover all organizations regulated by provincial law unless provincial governments adopt similar legislation. In that case, any organization or activity covered by the provincial law will be exempt from the application of the federal law for activities within the province. The federal law will also apply to all interprovincial and international collections, uses and disclosures of personal information.
The federal government has stated that Quebec will be exempt from the federal law because Quebec's 1994 legislation covers the private sector and is substantially similar to Part 1.
The Privacy Commissioner will work closely with provincial governments and other interested parties to encourage the development of harmonized provincial statutes.
Part 1 contains a primacy clause which will mean that it takes precedence over subsequent acts of Parliament unless those acts specifically provide otherwise.
What types of information will be covered?
Part 1 applies to all personal information about an identifiable individual regardless of form and collected, used or disclosed for any activity subject to the law, with some exclusions. For example, business related information such as name, title, address and telephone number of employees and information used solely for personal or domestic purposes is not subject to the act. Part 1 also excludes information collected, used or disclosed solely for journalistic, artistic or literary purposes.
The CSA Code as a basis for personal information protection
Part 1 requires organizations to comply with the CSA Code (the principles of which are contained in Schedule 1 of the act). The code was developed through a collaborative process by business, consumer groups and government and is considered to be fair, balanced, and to reflect the legitimate interests of both business and consumers. Parliament will review the legislation, including Schedule 1, every five years after Part 1 comes into force.
Individual privacy rights and business obligations
The CSA Code establishes a minimum standard of personal information protection, based on universally recognized data protection principles. The following is an overview of individual privacy rights and business obligations under the CSA Code and Division 1 of Part 1 of the act. Anyone seeking more detailed information should consult the act.
Accountability Organizations are responsible for all personal information within their control and must identify individuals to oversee compliance with the act. This includes implementing policies and procedures, and training employees to protect personal information, as well as informing the public.
Organizations remain responsible when personal data is processed by third parties on their behalf and must use contracts or other means to ensure comparable protection.
Identifying Purposes Organizations must document purposes before they can use any personal information, including the use of previously collected information for a new purpose. Ideally, purposes should be specified to individuals at or before the time information is collected, but must always be specified before use. The purposes must reflect what a reasonable person would consider appropriate under the circumstances.
Consent Except for limited and defined circumstances, knowledge and consent are required for the collection, use, or disclosure of all personal information. Consent may be provided after collection, but, except in certain circumstances, must always be obtained before use. Purposes must be clearly stated and organizations must make a reasonable effort to ensure they are understood. The nature and form of consent must match the sensitivity of the data and the circumstances, as well as the individual's reasonable expectations. Organizations cannot require consent to the collection, use or disclosure of information beyond that specifically needed for the specified and legitimate purposes.
Individuals can withdraw consent to information use at any time, subject to legal or contractual restrictions and reasonable notice. Organizations must explain any implications of withdrawing consent.
There are some instances where organizations may collect, use or disclose personal information that is subject to Part 1 without knowledge or consent.
Information may be collected without consent if doing so is clearly in the interests of the individual and consent cannot be obtained in a timely way, as well as some defined situations where seeking consent would compromise the availability or accuracy of the information.
Previously collected information can also be used for limited, specific purposes without knowledge and consent. These include investigations into breaches of agreements or violations of laws, life-threatening or similar emergencies, research or study that cannot be accomplished without using the information and where it is impractical to obtain consent, or where the information was collected without consent as described above.
There are similar defined circumstances where information can also be disclosed to third parties without knowledge and consent. These include disclosure to archival institutions and some government institutions. All personal information is subject to disclosure without consent either 100 years after the information was collected or 20 years after the death of the individual who is the subject of the information.
Limiting Collection The amount and type of information collected must be limited to what is necessary for identified purposes. All information must be collected by fair and lawful means.
Limiting Use, Disclosure, and Retention Personal information can only be used or disclosed for purposes for which it was collected, except with the consent of the individual or as required by law. Personal information must be retained only as long as necessary to fulfil the identified or required purposes.
Organizations should develop guidelines and implement procedures for information retention. Information that is no longer required for identified purposes should be destroyed, erased, or made anonymous. Formal guidelines and procedures are required for such information destruction.
Accuracy Personal information used by organizations must be as complete, up-to-date and accurate as necessary for the required purposes, particularly when used to make a decision affecting an individual. Data provided to third parties should also be as accurate and up-to-date as possible, with limits to accuracy clearly specified and understood.
Personal information must not be routinely updated unless purposes specifically require this.
Safeguards All personal information must be protected against loss or theft, as well as unauthorized access, disclosure, copying, use or modification, with safeguards appropriate to the sensitivity. Organizations must take particular care in disposing of data to prevent unauthorized access, and must make employees aware of the need to maintain the confidentiality of all personal information.
Openness Organizations must provide the public with general information on their data protection policies and practices, including the name and title of the person responsible for compliance with Part 1, a general description of the types of personal data held by the organization and its use, and what data is provided to related organizations such as subsidiaries.
This information must be both easy to obtain and understand. Persons with sensory disabilities can request general information or their personal data in alternate formats if the information exists in this format or the cost of conversion is reasonable and the information is needed to exercise their privacy rights.
Individual Access Individuals have a right to examine their personal information and challenge its accuracy and completeness. Organizations must describe what personal information they possess, providing an account of how it is used, and third parties to which it has been disclosed. When it is not possible to list actual parties, a list must be provided of parties to whom the information may have been disclosed. Organizations must amend wrong or incomplete information, with the amended information transmitted to third parties where appropriate. Any dispute over amending a file must be recorded by the company and details of the disputed data provided to third parties where appropriate.
If asked, organizations must also assist individuals to prepare a written access request. Any data provided to allow an organization to account for personal information use can only be used for this purpose.
Organizations must respond to access requests within 30 days unless there are reasonable grounds to extend the time limit. Individuals must be informed of any extensions and their right to complain to the Commissioner. A failure to respond within set time limits is deemed to be a refusal to respond to the request.
Any costs for personal information access must be directly related to copying costs and be reasonable in the circumstances. A charge may only be levied if an individual is informed in advance of the approximate cost and has agreed to proceed with the request.
When an organization refuses an access request, it must explain the reasons in writing and any recourse. All personal information subject to an access request must be retained as long as necessary for individuals to exhaust all available recourse under Part 1.
Part 1 also identifies a number of limited and specific circumstances where access to personal information can be denied to protect information used in investigations or legal processes, as well as to protect third party privacy rights. Organizations must inform the Commissioner concerning some types of information access refusals.
Organizations must respond to all complaints or enquiries about their personal information handling practices and allow individuals to challenge their compliance with the Code. Every complaint must be investigated and appropriate measures taken to correct deficient policies and practices. Individuals must be informed of any further complaint resolution processes, including their right to contact the Privacy Commissioner.
Filing complaints with the Commissioner
Individuals can file a complaint in writing to the Commissioner when they have failed to achieve a satisfactory response by dealing directly with an organization, or if they believe that a complaint cannot be resolved through such a process. Complaints can be made for any perceived violation of Division 1 of Part 1 of the act, or a requirement or a recommendation of the CSA Code (Schedule 1). There is no time limit for filing complaints, except for complaints about an organization's refusal to grant access to personal information. Access complaints must normally be filed within six months of the refusal. There is no cost for filing complaints.
All written complaints will be investigated. In addition, should the Commissioner believe there are reasonable grounds to investigate any other matter relating to personal information protection, he or she can initiate an investigation directly without a complaint. In all cases, the organization will be notified.
The Commissioner has powers to seek and examine any relevant information when conducting an investigation. All information about a complaint investigation is kept confidential by the Commissioner's office. However, the Commissioner may disclose information about an organization's information-handling practices if it is in the public interest to do so.
The Commissioner or a delegate can enter any premises (except a "dwelling place") occupied by an organization, at any reasonable time, examine and obtain copies of any relevant records, and converse in private with any individual on matters relevant to the investigation. There are fines for destroying information that is the subject of a complaint or for obstructing an investigation.
The Commissioner uses dispute resolution mechanisms such as mediation and conciliation in an effort to resolve complaints. These processes generally lead to resolutions much faster, with less expense and with more good will than any other mechanism.
Every investigation must be completed, including a written report, within one year of the complaint being received or the investigation started. This report is provided to both parties in the investigation, and includes findings and recommendations, the results of any settlement reached by the parties, and any further recourse available to a complainant. The Commissioner can also request that organizations furnish details, within a specified time, of any actions taken to implement report recommendations or reasons why no such actions are proposed.
No investigation report is required in situations where other processes should be used first, where other laws or regulations would provide a more appropriate solution, where a complaint is frivolous or made in bad faith, or where too much time has elapsed between the complaint and its cause. If no report is prepared, the Commissioner will inform both parties and give the reasons.
Applying for review by the Federal Court
The Commissioner has no power to compel organizations to act on the findings or recommendations contained within a report. Within 45 days of receiving a report, either a complainant or the Commissioner can apply to the Federal Court for a hearing on most matters dealt with in Division 1 of Part 1 of the act, including some requirements (but not recommendations) of the CSA Code.
If a complainant applies to the Court, the Commissioner can also apply to appear instead of the complainant (with the complainant's consent), on behalf of the complainant, or as a party to the hearing.
The Court has the power to order an organization to correct its practices to comply with the provisions of Division 1, including notifying the public of any actions proposed or taken to correct practices. The Court can also award damages to the complainant, including damages for any humiliation suffered. There is no limit on the amount of punitive damages that may be awarded. In hearing cases, the Court must take precautions to prevent the disclosure of any information that organizations are authorized not to disclose under Part 1.
The Commissioner can also conduct audits of organizational practices where there are reasonable grounds to believe that an organization is either violating an obligation under Division 1 or not following a recommendation of the CSA Code. These recommendations represent best practices that, in some instances, may be a minimum standard of personal information protection depending on the sensitivity of the data, expectations of data subjects, or other factors.
In carrying out the audit, the Commissioner may employ the same powers used in investigating a complaint. As with investigations, it is an offence to destroy personal information that is the subject of an audit or in any other way to obstruct the conduct of an audit.
Once the audit is completed, the Commissioner will provide the organization with a report of the findings and any recommendations. The Commissioner can also publicize the results of any audits in an annual report to Parliament.
Although the Commissioner cannot compel organizations to act on audit recommendations, failure to do so could result in a further investigation, leading to an application before the Federal Court.
Education and public consultation
To promote greater awareness of privacy issues and to encourage consistent standards of personal information protection, the Commissioner may carry out public information programs, undertake privacy research, and encourage the private sector to develop and implement policies and codes of practice, based on Division 1 and the CSA Code.
The Commissioner also has a broad mandate to consult with provincial privacy commissioners or other parties, and to enter into agreements to coordinate complaints-handling activities, where appropriate. The Commissioner may enter into agreements with provinces to undertake and publish joint research on privacy issues and to develop model contracts for interprovincial or international protection of personal information. Such contracts can play an important role in achieving consistent standards and meeting international privacy protection requirements.
The Commissioner must report annually to Parliament on all activities relating to Part 1, including the status of provincial privacy legislation and other matters concerning interprovincial and international data protection.
Part 1 protects employers or other individuals from recriminations for acting on reasonable ground and in good faith to uphold provisions of Part 1 or inform the Commissioner of perceived violations. Individuals can request their identity to be kept confidential when contacting the Commissioner. The Commissioner is obligated to maintain this confidentiality in all circumstances.
Employers cannot recriminate in any way against an employee or independent contractor, where they believe an individual, acting on the basis of a reasonable belief, has informed the Commissioner about an actual or potential breach of Part 1, acts directly to prevent a perceived violation, states an intention to do so, or refuses or states an intention to refuse to carry out any duty that would violate the act.