Legal information related to PIPEDA
The Personal Information Protection and Electronic Documents Act
- The Personal Information Protection and Electronic Documents Act was first introduced in the House of Commons in October 1998 as Bill C-54. It was re-introduced as Bill C-6 in October 1999 at the opening of the new Parliamentary session. The Senate passed the bill with two amendments pertaining to personal health information. Parliament approved the amendments and the Act received Royal Assent on April 13, 2000.
- The Act establishes rules for the management of personal information by organizations involved in commercial activities.
- The Act strikes a balance between an individual's right to the protection of personal information and the need of organizations to obtain and handle such information for legitimate business purposes.
- Canadians have the right to know and should ask why a business or organization is collecting, using or disclosing their personal information, such as name, age, medical records, income, spending habits, DNA code, marital status, etc. They also have the right to check their personal information and correct any inaccuracies.
- Businesses must obtain the individual's consent when they collect, use or disclose personal information, except in some circumstances, such as information needed for an investigation or an emergency where lives or safety are at risk.
- Under the Act, individuals may complain to the Privacy Commissioner about how organizations handle their personal information. The Privacy Commissioner is an Officer of Parliament, reporting directly to Parliament. He functions as an ombudsman; receives, initiates, investigates and resolves complaints; conducts audits; and educates the public about privacy issues. The Commissioner has two sets of powers:
1) the power of disclosure, which is the right to make information public; and
2) the power to take matters to the Federal Court of Canada, which can in turn can order organizations to stop a particular practice, and can award substantial damages for contravention of the law.
- The Act contains a set of fair information principles. These principles are rooted in international data protection standards and are based on the Canadian Standards Association's Model Privacy Code for the Protection of Personal Information. The code was developed with input from businesses, governments, consumer associations and other privacy stakeholders.
- The Act applies to the collection, use and disclosure of personal information by organizations during commercial activities. Personal information is any information about an identifiable individual whether recorded or not. Organizations include associations, partnerships, persons and trade unions. "Bricks-and-mortar" and e-commerce businesses are covered by the Act. The term "commercial activity" includes the selling, bartering or leasing of donor, membership or other fund-raising lists.
The Act does not apply to:
- Federal government institutions subject to the Privacy Act
- Personal information collected, used or disclosed for personal or household reasons
- Personal information collected, used or disclosed for journalistic, artistic or literary purposes
- The name, title, business address or telephone number of an employee of an organization is not covered by the Act
Key Aspects of the Act
Fair Information Principles
- Organizations can only collect personal information that is appropriate for the specific transaction; they must explain why they need the information, what it will be used for, whether they plan to disclose it to anyone else and must obtain consent for this use and disclosure. There are exceptions to the consent provision for law enforcement, scholarly research and emergencies.
- Individuals may obtain information about themselves held by an organization and can request that inaccurate or incomplete information be corrected. Exceptions include such matters as national security, solicitor-client privilege and threats to the safety of others.
Federal Court of Canada
- An individual dissatisfied with the results of an investigation by the Privacy Commissioner, or the Commissioner himself, can apply to the Federal Court for a hearing. The Court can award damages to an individual (including damages for humiliation) and can order an organization to correct its practices.
- Anyone who reports a contravention of the Act may go to the Privacy Commissioner who may request that his identity be kept confidential.
It is an offence to obstruct an investigation or audit, destroy personal information that is the subject of an access request or discipline a whistleblower. A person is liable to a fine of up to $10,000 on summary conviction or up to $100,000 for an indictable offence.
The Act comes into force in three stages.
Beginning January 1, 2001, the law applies to:
- Federal works, undertakings or businesses, such as banks, telecommunications companies, airlines, railways and interprovincial trucking companies, and to the employee records in those organizations.
- Personal information disclosed across borders for consideration (e.g., the sale or lease of lists).
On January 1, 2002, the law applies to:
- Personal health information collected, used or disclosed by organizations described under phase one of the law.
On January 1, 2004, the law will apply to:
- The collection, use and disclosure of personal information by any organization in the course of commercial activity within a province;
- All personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of commercial activities.
The federal government may exempt organizations and/or activities in provinces that have adopted substantially similar legislation.
That means, beginning January 1, 2004, the privacy rights of all Canadians will be protected in one of two ways:
- by the federal act, or
- by a provincial act that is substantially similar to the federal law.
For more information, contact:Office of the Privacy Commissioner of Canada