PIPA Index
Part 1 -- Introductory Provisions
Part 2 -- General Rules Respecting
Protection of Personal Information by Organizations
Part 3 --
Consent
Part 4 -- Collection
of Personal Information
Part 5 -- Use
of Personal Information
Part 6 -- Disclosure of Personal
Information
PIPA Part 7 -- Access to and
Correction of Personal Information
PIPA Part 8 -- Administration
Part 9 -- Care of
Personal Information
Part 10 -- Role of Commissioner
PIPA Part 11 -- Reviews and
Orders
PIPA Part 12 -- General Provisions
|
How
does PIPA impact customer operations?
What in PIPA requires an audit of customer
processes?
Part 3, 4, 5 and 6 cover the requirements for dealing
with the collection, use and disclosure of customer
information.
PIPA Part
3 -- Consent
Compliance Tips
Consent (4.3)
Part 4 -- Collection of Personal Information
Compliance Tips
Identifying Purposes (4.2)
& Limiting Collection (4.4)
Part 5 -- Use of
Personal Information
Compliance Tips
Limiting use (4.5)
Part 6 -- Disclosure
of Personal Information
Compliance Tips
Limiting Disclosure (4.5) |
What
are the responsibilities of the Privacy Office?
Part 3, 7 and 8 state the requirements generally covered
by the Privacy Office.
PIPA Part 2 -- General Rules
Respecting Protection of Personal Information by Organizations
Compliance Tips
Accountability (4.1)
& Openness (4.8)
Part 7
-- Access to and Correction of Personal Information
PIPA Part 8 -- Administration
Compliance
Access (4.9)
|
How
does PIPA impact the management of customer data?
Part 9 covers the legislative requirements for data
management.
Part 9 -- Care
of Personal Information
Compliance Tips
Accuracy (4.6),
Safeguards (4.7)
& Retention (4.5)
|
Key Definitions
Contact
Information
Federal Act
Work Product
|
|
pipa Below |
Part
1 -- Introductory Provisions
Definitions
1 In this Act:
"commissioner" means the
commissioner appointed under section 37 (1) or 39 (1)
of the Freedom of Information and Protection of Privacy
Act;
"contact
information" means information to enable
an individual at a place of business to be contacted
and includes the name, position name or title, business
telephone number, business address, business email or
business fax number of the individual;
"credit report" has the
same meaning as "report" in section 106 of the Business Practices and Consumer Protection Act;
"credit reporting agency"
has the same meaning as "reporting" in section 106 of the Business Practices and Consumer Protection Act;
"day" does not include a
holiday or a Saturday;
"document" includes
(a) a thing on or by which information is stored,
and
(b) a document in electronic or similar form;
"domestic" means related
to home or family;
"employee" includes a volunteer;
"employee
personal information" means personal information
about an individual that is collected, used or disclosed
solely for the purposes reasonably required to establish,
manage or terminate an employment relationship between
the organization and that individual, but does not include
personal information that is not about an individual's
employment;
"employment" includes working under an unpaid volunteer work relationship;
"federal Act" means the Personal Information Protection and Electronic Documents Act (Canada);
"investigation" means an investigation related to
(a) a breach of an agreement,
(b) a contravention of an enactment of Canada or a province,
(c) a circumstance or conduct that may result in a remedy or relief being available under an enactment, under the common law or in equity,
(d) the prevention of fraud, or
(e) trading in a security as defined in section 1 of the Securities Act if the investigation is conducted by or on behalf of an organization recognized by the British Columbia Securities Commission to be appropriate for carrying out investigations of trading in securities,
if it is reasonable to believe that the breach, contravention, circumstance, conduct, fraud or improper trading practice in question may occur or may have occurred;
"organization" includes a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include
(a) an individual acting in a personal or domestic capacity or acting as an employee,
(b) a public body,
(c) the Provincial Court, the Supreme Court or the Court of Appeal,
(d) the Nisga'a Government, as defined in the Nisga'a Final Agreement, or
(e) a private trust for the benefit of one or more designated individuals who are friends or members of the family of the settlor;
|
"personal information" means information
about an identifiable individual and includes employee personal
information but does not include
(a) contact information, or
(b) work product information;
"proceeding" means a civil, a
criminal or an administrative proceeding that is related to
the allegation of
(a) a breach of an agreement,
(b) a contravention of an enactment of Canada or a province,
or
(c) a wrong or a breach of a duty for which a remedy is
claimed under an enactment, under the common law or in equity;
"public body" means
(a) a ministry of the government of British Columbia,
(b) an agency, board, commission, corporation, office or
other body designated in, or added by regulation to, Schedule
2 of the Freedom of Information and Protection of Privacy
Act, or
(c) a local public body as defined in the Freedom of Information
and Protection of Privacy Act;
"work product information" means information prepared or collected by an individual or
group of individuals as a part of the individual's or group's
responsibilities or activities related to the individual's
or group's employment or business but does not include personal
information about an individual who did not prepare or collect
the personal information.
Regulations - Definitions
1 In this regulation:
"Act" means the Personal Information Protection Act;
"committee" means a committee under the Patients Property Act ;
"health care professional" means a medical practitioner, psychologist, registered nurse or registered psychiatric nurse;
"nearest relative" means the first person in the following order of priority:
(a) spouse;
(b) adult child;
(c) parent;
(d) adult brother or sister;
(e) other adult relation by birth or adoption;
"spouse" means a person who
(a) is married to another person, or
(b) is living and cohabiting with another person in a marriage-like relationship for at least one year immediately before the death of the other person, including a marriage-like relationship between persons of the same gender.
Purpose
2 The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Application
3 (1) Subject to this section, this Act applies to every organization.
(2) This Act does not apply to the following:
(a) the collection, use or disclosure of personal information,
if the collection, use or disclosure is for the personal
or domestic purposes of the individual who is collecting,
using or disclosing the personal information and for no
other purpose;
(b) the collection, use or disclosure of personal information,
if the collection, use or disclosure is for journalistic,
artistic or literary purposes and for no other purpose;
(c) the collection, use or disclosure of personal information,
if the federal Act applies to the collection, use or disclosure
of the personal information;
(d) personal information if the Freedom of Information
and Protection of Privacy Act applies to the personal information;
(e) personal information in
(i) a court document,
(ii) a document of a judge of the Court of Appeal, Supreme
Court or Provincial Court, or a document relating to support
services provided to a judge of those courts,
(iii) a document of a master of the Supreme Court,
(iv) a document of a justice of the peace, or
(v) a judicial administration record as defined in Schedule
1 of the Freedom of Information and Protection of Privacy
Act;
(f) personal information in a note, communication or draft
decision of the decision maker in an administrative proceeding;
(g) the collection, use or disclosure by a member or officer
of the Legislature or Legislative Assembly of personal information
that relates to the exercise of the functions of that member
or officer;
(h) a document related to a prosecution if all proceedings
related to the prosecution have not been completed;
(i) the collection of personal information that has been
collected on or before this Act comes into force.
(3) Nothing in this Act affects solicitor-client privilege.
(4) This Act does not limit the information available by
law to a party to a proceeding.
(5) If a provision of this Act is inconsistent or in conflict
with a provision of another enactment, the provision of this
Act prevails unless another Act expressly provides that the
other enactment, or a provision of it, applies despite this
Act.
Part 2 -- General Rules Respecting
Protection of Personal Information by Organizations
Compliance with Act
4 (1) In meeting its responsibilities under this Act, an organization
must consider what a reasonable person would consider appropriate
in the circumstances.
(2) An organization is responsible for personal information
under its control, including personal information that is
not in the custody of the organization.
(3) An organization must designate one or more individuals
to be responsible for ensuring that the organization complies
with this Act.
(4) An individual designated under subsection (3) may delegate
to another individual the duty conferred by that designation.
(5) An organization must make available to the public
(a) the position name or title of each individual designated
under subsection (3) or delegated under subsection (4),
and
(b) contact information for each individual referred to
in paragraph (a).
Policies and practices
5 An organization must
(a) develop and follow policies and practices that are
necessary for the organization to meet the obligations of
the organization under this Act,
(b) develop a process to respond to complaints that may
arise respecting the application of this Act, and
(c) make information available on request about
(i) the policies and practices referred to in paragraph
(a), and
(ii) the complaint process referred to in paragraph (b).
Part 3 -- Consent
Consent required
6 (1) An organization must not
(a) collect personal information about an individual,
(b) use personal information about an individual, or
(c) disclose personal information about an individual.
(2) Subsection (1) does not apply if
(a) the individual gives consent to the collection, use
or disclosure,
(b) this Act authorizes the collection, use or disclosure
without the consent of the individual, or
(c) this Act deems the collection, use or disclosure to
be consented to by the individual.
Provision of consent
7 (1) An individual has not given consent under this Act to
an organization unless
(a) the organization has provided the individual with the
information required
under section 10(1), and
(b) the individual's consent is provided in accordance
with this Act.
(2) An organization must not, as a condition of supplying
a product or service, require an individual to consent to
the collection, use or disclosure of personal information
beyond what is necessary to provide the product or service.
(3) If an organization attempts to obtain consent for collecting,
using or disclosing personal information by
(a) providing false or misleading information respecting
the collection, use or disclosure of the information, or
(b) using deceptive or misleading practices
any consent provided in those circumstances is not validly
given.
Implicit consent
8 (1) An individual is deemed to consent to the collection,
use or disclosure of personal information by an organization
for a purpose if
(a) at the time the consent is deemed to be given, the
purpose would be considered to be obvious to a reasonable
person, and
(b) the individual voluntarily provides the personal information
to the organization for that purpose.
(2) An individual is deemed to consent to the collection,
use or disclosure of personal information for the purpose
of his or her enrollment or coverage under an insurance,
pension, benefit or similar plan, policy or contract if he or she
(a) is a beneficiary
or has an interest as an insured under the plan, policy or contract, and
(b) is not the applicant for the plan, policy or contract.
(3) An organization may collect, use or disclose personal
information about an individual for specified purposes if
(a) the organization provides the individual with a notice,
in a form the individual can reasonably be considered to
understand, that it intends to collect, use or disclose
the individual's personal information for those purposes,
(b) the organization gives the individual a reasonable
opportunity to decline within a reasonable time to have
his or her personal information collected, used or disclosed
for those purposes,
(c) the individual does not decline, within the time allowed
under paragraph (b), the proposed collection, use or disclosure,
and
(d) the collection, use or disclosure of personal information
is reasonable having regard to the sensitivity of the personal
information in the circumstances.
(4) Subsection (1) does not authorize an organization to
collect, use or disclose personal information for a different
purpose than the purpose to which that subsection applies.
Withdrawal of consent
9 (1) Subject to subsections (5) and (6), on giving reasonable
notice to the organization, an individual may withdraw consent
to the collection, use or disclosure of personal information
about the individual at any time.
(2) On receipt of notice referred to in subsection (1), an
organization must inform the individual of the likely consequences
to the individual of withdrawing his or her consent.
(3) An organization must not prohibit an individual from
withdrawing his or her consent to the collection, use or disclosure
of personal information related to the individual.
(4) Subject to section 35, if an individual withdraws consent
to the collection, use or disclosure of personal information
by an organization, the organization must stop collecting,
using or disclosing the personal information unless the collection,
use or disclosure is permitted without consent under this
Act.
(5) An individual may not withdraw consent if withdrawing
the consent would frustrate the performance of a legal obligation.
(6) An individual may not withdraw a consent given to a credit
reporting agency in the circumstances described in section
12(1)(g) or 15(1)(g).
Part 4 -- Collection of Personal
Information
Required notification
for collection of personal information
10 (1) On or before collecting personal information about
an individual from the individual, an organization must disclose
to the individual verbally or in writing
(a) the purposes for the collection of the information,
and
(b) on request by the individual, the position name or
title and the contact information for an officer or employee
of the organization who is able to answer the individual's
questions about the collection.
(2) On or before collecting personal information about an
individual from another organization without the consent of
the individual, an organization must provide the other organization
with sufficient information regarding the purpose of the collection
to allow that other organization to determine whether the
disclosure would be in accordance with this Act.
(3) This section does not apply to a collection described
in section 8(1) or (2).
Limitations on collection
of personal information
11 Subject to this Act, an organization may collect personal
information only for purposes that a reasonable person would
consider appropriate in the circumstances and that
(a) fulfill the purposes that the organization discloses
under section 10(1), or
(b) are otherwise permitted under this Act.
Collection of personal
information without consent
12 (1) An organization may collect personal information about
an individual without consent or from a source other than
the individual, if
(a) the collection is clearly in the interests of the individual
and consent cannot be obtained in a timely way,
(b) the collection is necessary for the medical treatment
of the individual and the individual is unable to give consent,
(c) it is reasonable to expect that the collection with
the consent of the individual would compromise the availability
or the accuracy of the personal information and the collection
is reasonable for an investigation or a proceeding,
(d) the personal information is collected by observation
at a performance, a sports meet or a similar event
(i) at which the individual voluntarily appears, and
(ii) that is open to the public,
(e) the personal information is available to the public
from a source prescribed for the purposes of this paragraph,
(f) the collection is necessary to determine the individual's
suitability
(i) to receive an honour, award or similar benefit, including
an honorary degree, scholarship or bursary, or
(ii) to be selected for an athletic or artistic purpose,
(g) the organization is a credit reporting agency that
collects the personal information to create a credit report
and the individual consents at the time the original collection
takes place to the disclosure for this purpose,
(h) the collection is required or authorized by law,
(i) the information was disclosed to the organization under
sections 18 to 22,
(j) the personal information is necessary to facilitate
(i) the collection of a debt owed to the organization,
or
(ii) the payment of a debt owed by the organization.
(k) the personal information is collected for the purposes of the organization providing legal services to a third party and the collection is necessary for the purposes of providing those services, or
(l) the personal information is collected for the purposes of the organization providing services to a third party if
(i) the third party is an individual acting in a personal or domestic capacity,
(ii) the third party is providing the information to the organization, and
(iii) the information is necessary for the purposes of providing those services.
(2) An organization may collect personal information from
or on behalf of another organization without consent of the
individual to whom the information relates, if
(a) the individual previously consented to the collection
of the personal information by the other organization, and
(b) the personal information is disclosed to or collected
by the organization solely
(i) for the purposes for which the information was previously
collected, and
(ii) to assist that organization to carry out work on
behalf of the other organization.
Collection
of employee personal information
13 (1) Subject to subsection (2), an organization may collect
employee personal information without the consent of the individual.
(2) An organization may not collect employee personal information
without the consent of the individual unless
(a) section 12 allows the collection of the employee personal
information without consent, or
(b) the collection is reasonable for the purposes of establishing,
managing or terminating an employment relationship between
the organization and the individual.
(3) An organization must notify an individual that it will
be collecting employee personal information about the individual
and the purposes for the collection before the organization
collects the employee personal information without the consent
of the individual.
(4) Subsection (3) does not apply to employee personal information
if section 12 allows it to be collected without the consent
of the individual.
Part 5 -- Use of Personal Information
Limitations on
use of personal information
14 Subject to this Act, an organization may use personal information
only for purposes that a reasonable person would consider
appropriate in the circumstances and that
(a) fulfill the purposes that the organization discloses
under section 10(1),
(b) for information collected before this Act comes into
force, fulfill the purposes for which it was collected,
or
(c) are otherwise permitted under this Act.
Use of personal information
without consent
15 (1) An organization may use personal information about
an individual without the consent of the individual, if
(a) the use is clearly in the interests of the individual
and consent cannot be obtained in a timely way,
(b) the use is necessary for the medical treatment of the
individual and the individual does not have the legal capacity
to give consent,
(c) it is reasonable to expect that the use with the consent
of the individual would compromise an investigation or proceeding
and the use is reasonable for purposes related to an investigation
or a proceeding,
(d) the personal information is collected by observation
at a performance, a sports meet or a similar event
(i) at which the individual voluntarily appears, and
(ii) that is open to the public,
(e) the personal information is available to the public
from a source prescribed for the purposes of this paragraph,
(f) the use is necessary to determine suitability
(i) to receive an honour, award or similar benefit, including
an honorary degree, scholarship or bursary, or
(ii) to be selected for an athletic or artistic purpose,
(g) the personal information is used by a credit reporting
agency to create a credit report if the individual consented
to the disclosure for this purpose,
(h) the use is required or authorized by law,
(h.1) the personal information was collected by the organization under section 12(1)(k) or (l) and is used to fulfill the purposes for which it was collected,
(i) the personal information was disclosed to the organization
under sections 18 to 22,
(j) the personal information is needed to facilitate
(i) the collection of a debt owed to the organization,
or
(ii) the payment of a debt owed by the organization,
(k) a credit reporting agency is permitted to collect the
personal information without consent under section 12 and
the information is not used by the credit reporting agency
for any purpose other than to create a credit report, or
(l) the use is necessary to respond to an emergency that
threatens the life, health or security of an individual.
(2) An organization may use personal information collected
from or on behalf of another organization without the consent
of the individual to whom the information relates, if
(a) the individual consented to the use of the personal
information by the other organization, and
(b) the personal information is used by the organization
solely
(i) for the purposes for which the information was previously
collected, and
(ii) to assist that organization to carry out work on
behalf of the other organization.
Use of employee personal information
16 (1) Subject to subsection (2), an organization may use
employee personal information without the consent of the individual.
(2) An organization may not use employee personal information
without the consent of the individual unless
(a) section 15 allows the use of the employee personal
information without consent, or
(b) the use is reasonable for the purposes of establishing,
managing or terminating an employment relationship between
the organization and the individual.
(3) An organization must notify an individual that it will
be using employee personal information about the individual
and the purposes for the use before the organization uses
the employee personal information without the consent of the
individual.
(4) Subsection (3) does not apply to employee personal information
if section 15 allows it to be used without the consent of
the individual.
Part 6 -- Disclosure of Personal Information
Limitations on
disclosure of personal information
17 Subject to this Act, an organization may disclose personal
information only for purposes that a reasonable person would
consider are appropriate in the circumstances and that
(a) fulfill the purposes that the organization discloses
under section 10(1),
(b) for information collected before this Act comes into
force, fulfill the purposes for which it was collected,
or
(c) are otherwise permitted under this Act.
Disclosure of
personal information without consent
18 (1) An organization may only disclose personal information
about an individual without the consent of the individual,
if
(a) the disclosure is clearly in the interests of the individual
and consent cannot be obtained in a timely way,
(b) the disclosure is necessary for the medical treatment
of the individual and the individual does not have the legal
capacity to give consent,
(c) it is reasonable to expect that the disclosure with
the consent of the individual would compromise an investigation
or proceeding and the disclosure is reasonable for purposes
related to an investigation or a proceeding,
(d) the personal information is collected by observation
at a performance, a sports meet or a similar event
(i) at which the individual voluntarily appears, and
(ii) that is open to the public,
(e) the personal information is available to the public
from a source prescribed for the purposes of this paragraph,
(f) the disclosure is necessary to determine suitability
(i) to receive an honour, award or similar benefit, including
an honorary degree, scholarship or bursary, or
(ii) to be selected for an athletic or artistic purpose,
(g) the disclosure is necessary in order to collect a debt
owed to the organization or for the organization to repay
an individual money owed to them by the organization,
(h) the personal information is disclosed in accordance
with a provision of a treaty that
(i) authorizes or requires its disclosure, and
(ii) is made under an enactment of British Columbia or
Canada,
(i) the disclosure is for the purpose of complying with
a subpoena, warrant or order issued or made by a court,
person or body with jurisdiction to compel the production
of personal information,
(j) the disclosure is to a public body or a law enforcement
agency in Canada, concerning an offence under the laws of
Canada or a province, to assist in an investigation, or
in the making of a decision to undertake an investigation,
(i) to determine whether the offence has taken place,
or
(ii) to prepare for the laying of a charge or the prosecution
of the offence,
(k) there are reasonable grounds to believe that compelling
circumstances exist that affect the health or safety of
any individual and if notice of disclosure is mailed to
the last known address of the individual to whom the personal
information relates,
(l) the disclosure is for the purpose of contacting next
of kin or a friend of an injured, ill or deceased individual,
(m) the disclosure is to a lawyer who is representing the
organization,
(n) the disclosure is to an archival institution if the
collection of the personal information is reasonable for
research or archival purposes,
(o) the disclosure is required or authorized by law, or
(p) the disclosure is in accordance with sections 19 to
22.
(2) An organization may disclose personal information to
another organization without consent of the individual to
whom the information relates, if
(a) the individual consented to the collection of the personal
information by the organization, and
(b) the personal information is disclosed to the other
organization solely
(i) for the purposes for which the information was previously
collected, and
(ii) to assist the other organization to carry out work
on behalf of the first organization.
(3) An organization may disclose personal information to
another organization without consent of the individual to
whom the information relates, if the organization was authorized
by section 12(2) to collect the personal information from
or on behalf of the other organization.
(4) An organization may disclose personal information to another organization, or to a public body, without consent of the individual to whom the information relates, if
(a) the personal information was collected by an organization under section 12(1)(k) or (l),
(b) the disclosure between the organizations, or between the organization and the public body, is for the purposes for which the information was collected,
(c) the disclosure is necessary for those purposes, and
(d) for each disclosure under this subsection, the third party referred to in section 12(1)(k) or (l), as applicable, consents to the disclosure.
Disclosure of employee personal
information
19 (1) Subject to subsection (2), an organization may disclose
employee personal information without the consent of the individual.
(2) An organization may not disclose employee personal information
without the consent of the individual unless
(a) section 18 allows the disclosure of the employee personal
information without consent, or
(b) the disclosure is reasonable for the purposes of establishing,
managing or terminating an employment relationship between
the organization and the individual.
(3) An organization must notify an individual that it will
be disclosing employee personal information about the individual
and the purposes for the disclosure before the organization
discloses employee personal information about the individual
without the consent of the individual.
(4) Subsection (3) does not apply to employee personal information
if section 18 allows it to be disclosed without the consent
of the individual.
Transfer of personal information
in the sale of an organization or its business assets
20 (1) In this section:
"business transaction" means the purchase, sale,
lease, merger or amalgamation or any other type of acquisition,
disposal or financing of an organization or a portion of an
organization or of any of the business or assets of an organization;
"party" means a person or another organization
that proceeds with the business transaction.
(2) An organization may disclose personal information about
its employees, customers, directors, officers or shareholders
without their consent, to a prospective party, if
(a) the personal information is necessary for the prospective
party to determine whether to proceed with the business
transaction, and
(b) the organization and prospective party have entered
into an agreement that requires the prospective party to
use or disclose the personal information solely for purposes
related to the prospective business transaction.
(3) If an organization proceeds with a business transaction,
the organization may disclose, without consent, personal information
of employees, customers, directors, officers and shareholders
of the organization to a party on condition that
(a) the party must only use or disclose the personal information
for the same purposes for which it was collected, used or
disclosed by the organization,
(b) the disclosure is only of personal information that
relates directly to the part of the organization or its
business assets that is covered by the business transaction,
and
(c) the employees, customers, directors, officers and shareholders
whose personal information is disclosed are notified that
(i) the business transaction has taken place, and
(ii) the personal information about them has been disclosed
to the party.
(4) A prospective party may collect and use personal information
without the consent of the employees, customers, directors,
officers and shareholders of the organization in the circumstances
described in subsection (2) if the prospective party complies
with the conditions applicable to that prospective party under
that subsection.
(5) A party may collect, use and disclose personal information
without the consent of the employees, customers, directors,
officers and shareholders of the organization in the circumstances
described in subsection (3) if the party complies with the
conditions applicable to that party under that subsection.
(6) If a business transaction does not proceed or is not
completed, a prospective party must destroy or return to the
organization any personal information the prospective party
collected under subsection (2) about the employees, customers,
directors, officers and shareholders of the organization.
(7) This section does not authorize an organization to disclose
personal information to a party or prospective party for purposes
of a business transaction that does not involve substantial
assets of the organization other than this personal information.
(8) A party or prospective party is not authorized by this
section to collect, use or disclose personal information that
an organization disclosed to it in contravention of subsection
(7).
Disclosure for research or
statistical purposes
21 (1) An organization may disclose, without the consent of
the individual, personal information for a research purpose,
including statistical research, only if
(a) the research purpose cannot be accomplished unless
the personal information is provided in an individually
identifiable form,
(b) the disclosure is on condition that it will not be
used to contact persons to ask them to participate in the
research,
(c) linkage of the personal information to other information
is not harmful to the individuals identified by the personal
information and the benefits to be derived from the linkage
are clearly in the public interest,
(d) the organization to which the personal information
is to be disclosed has signed an agreement to comply with
the following:
(i) this Act;
(ii) the policies and procedures relating to the confidentiality
of personal information of the organization that collected
the personal information;
(iii) security and confidentiality conditions;
(iv) a requirement to remove or destroy individual identifiers
at the earliest reasonable opportunity;
(v) prohibition of any subsequent use or disclosure of
that personal information in individually identifiable
form without the express authorization of the organization
that disclosed the personal information, and
(e) it is impracticable for the organization to seek the
consent of the individual for the disclosure.
(2) Subsection (1) does not authorize an organization to
disclose personal information for market research purposes.
Disclosure for archival or
historical purposes
22 An organization may disclose, without the consent of the individual, personal information for archival
or historical purposes if
(a) a reasonable person would not consider the personal
information to be too sensitive to the individual to be
disclosed at the proposed time,
(b) the disclosure is for historical research and is in
accordance with section 21,
(c) the information is about someone who has been dead
for 20 or more years, or
(d) the information is in a record that has been in existence
for 100 or more years.
Part 7 -- Access to and Correction
of Personal Information
Access to personal information
23 (1) Subject to subsections (2) to (5), on request of an
individual, an organization must provide the individual with
the following:
(a) the individual's personal information under the control
of the organization;
(b) information about the ways in which the personal information
referred to in paragraph (a) has been and is being used
by the organization;
(c) the names of the individuals and organizations to whom
the personal information referred to in paragraph (a) has
been disclosed by the organization.
Regulation - Disclosure of Health Care Information
5 (1) Subject to this section, before disclosing information to an individual under section 23 of the Act, an organization may disclose information relating to the mental or physical health of the individual to a health care professional for the purpose of obtaining an assessment from the health care professional as to whether the disclosure of that information could reasonably be expected to result in grave and immediate harm to the individual's safety or mental or physical health.
(2) A health care professional to whom information is disclosed under subsection (1) must not use or disclose the information except for the purposes of making an assessment described in subsection (1).
(3) An organization must not disclose information to health care professional under subsection (1), unless the health care professional has entered into a confidentiality agreement in the form provided by the organization.
(4) If a copy of personal information is provided a health care professional under subsection (1), the health care professional must return the copy to the organization as soon as possible after providing his or her assessment of the personal information to the organization.
(2) An organization that
(a) is a credit reporting agency, and
(b) receives a request under subsection (1)
must also provide the individual with the names of the sources
from which it received the personal information unless it
is reasonable to assume the individual can ascertain those
sources.
(3) An organization is not required to disclose personal
information and other information under subsection (1) or (2) in the following circumstances:
(a) the information is protected by solicitor-client
privilege;
(b) the disclosure of the information would reveal
confidential commercial information that if disclosed, could,
in the opinion of a reasonable person, harm the competitive
position of the organization;
(c) the information was collected or disclosed without consent,
as allowed under section 12 or 18, for the purposes of an investigation
and the investigation and associated proceedings and appeals
have not been completed;
(d) [Repealed];
(e) the information was collected or created by
a mediator or arbitrator in the conduct of a mediation or
arbitration for which he or she was appointed to act
(i) under a collective agreement,
(ii) under an enactment, or
(iii) by a court.
(f) the information is in a document that is subject to a solicitor's lien.
(3.1) A credit reporting agency is not required to disclose the names of the individuals and organizations to whom the personal information was last disclosed by the agency in a credit report more than 12 months before the request under subsection (1) was made.
(4) An organization must not disclose personal information
and other information under subsection (1) or (2) in the following circumstances:
(a) the disclosure could reasonably be expected to threaten
the safety or physical or mental health of an individual
other than the individual who made the request;
(b) the disclosure can reasonably be expected to cause
immediate or grave harm to the safety or to the physical
or mental health of the individual who made the request;
(c) the disclosure would reveal personal information about
another individual;
(d) the disclosure would reveal the identity of an individual
who has provided personal information about another individual
and the individual providing the personal information does
not consent to disclosure of his or her identity.
(5) If an organization is able to remove the information
referred to in subsection (3)(a), (b) or (c) or (4) from
a document that contains personal information about the individual
who requested it, the organization must provide the individual
with access to the personal information after the information
referred to in subsection (3)(a), (b) or (c) or (4) is removed.
Right to request correction of personal
information
24 (1) An individual may request an organization to correct
an error or omission in the personal information that is
(a) about the individual, and
(b) under the control of the organization.
(2) If an organization is satisfied on reasonable grounds
that a request made under subsection (1) should be implemented,
the organization must
(a) correct the personal information as soon as reasonably
possible, and
(b) send the corrected personal information to each organization
to which the personal information was disclosed by the organization
during the year before the date the correction was made.
(3) If no correction is made under subsection (2), the organization
must annotate the personal information under its control with
the correction that was requested but not made.
(4) When an organization is notified under subsection (2)
of a correction of personal information, the organization
must correct the personal information under its control.
Part 8 -- Administration
Definition
25 In this Part, "applicant" means an individual
who makes a request under section 27.
Circumstances in which request
may be made
26 An individual may make a request of an organization as
permitted under sections 23 or 24.
Regulations - Who may act for minors and others
2 (1) In this section, "representative" means any of the following persons:
(a) a committee under the Patients Property Act;
(b) an attorney acting under an enduring power of attorney;
(c) a litigation guardian;
(d) a representative under the Representation Agreement Act.
(2) Subject to subsection (3), the guardian of the person of a minor may
(a) exercise the rights of the minor under section 23 of the Act, if the minor is incapable of exercising his or her rights under that section,
(b) make a request for the minor under section 24 of the Act, if the minor is incapable of exercising his or her rights under that section, and
(c) give or refuse consent to the collection, use and disclosure of personal information of the minor under the Act, if the minor is incapable of exercising that right.
(3) If an individual has a representative, the representative may
(a) exercise the rights of the individual under section 23 of the Act,
(b) make a request for the individual under section 24 of the Act, and
(c) give or refuse consent to the collection, use and disclosure of personal information of the individual under the Act.
Regulations - Who may act for deceased persons
3 If an individual is deceased, the personal representative of the individual at the time of the individual's death or, if there is no personal representative, the nearest relative of the individual may
(a) exercise the rights of the deceased individual under section 23 of the Act,
(b) make a request for the deceased individual under section 24 of the Act, and
(c) give or refuse consent to the collection, use and disclosure of personal information of the deceased individual under the Act.
Regulations - Who may act for deceased persons
4 (1) If the person who is referred to at the top of the order of the priority list of the definition of "nearest relative" is unavailable or unwilling to make a decision, then the right to act under sections 2 and 3 passes to the person who is next in priority.
(2) If the right to act under section 2 or 3 passes to person of equal rank in the list of persons in the definition of "nearest relative" then the right passes to the person who is eldest of the persons and descends in order of age.
How to make a request
27 For an individual to obtain access to his or her personal
information or to request a correction of his or her personal
information, the individual must make a written request that
provides sufficient detail to enable the organization, with
a reasonable effort, to identify the individual and the personal
information or correction being sought.
Duty to assist individual
28 An organization must make a reasonable effort
(a) to assist each applicant,
(b) to respond to each applicant as accurately and completely
as reasonably possible, and
(c) unless section 23(3), (3.1) or (4) applies, to provide each
applicant with
(i) the requested personal information, or
(ii) if the requested personal information cannot be
reasonably provided, with a reasonable opportunity to
examine the personal information.
Time limit for response
29 (1) Subject to this section, an organization must respond
to an applicant not later than
(a) 30 days after receiving the applicant's request, or
(b) the end of an extended time period if the time period
is extended under section 31.
(2) If an organization asks the commissioner under section
37 for authorization to disregard a request, the 30 days referred
to in subsection (1) of this section does not include the
period from the start of the day the request is made under
section 37 to the end of the day a decision is made by the
commissioner with respect to that application.
(3) If an applicant asks the commissioner under section 46
to review a fee estimate, the 30 days referred to in subsection
(1) of this section does not include the period from the start
of the day the applicant asks for the review to the end of
the day the commissioner makes a decision.
Content of response
30 (1) In a response under section 28, if access to all or
part of the personal information requested by the applicant
is refused, the organization must tell the applicant
(a) the reasons for the refusal and the provision of this
Act on which the refusal is based,
(b) the name, position title, business address and business
telephone number of an officer or employee of the organization
who can answer the applicant's questions about the refusal,
and
(c) that the applicant may ask for a review under section
47 within 30 days of being notified of the refusal.
(2) Despite subsection (1)(a), the organization may refuse
in a response to confirm or deny the existence of personal
information collected as part of an investigation.
Extending the time limit for
response
31 (1) An organization may extend the time for responding
to a request under section 23 for up to an additional 30 days
or, with the commissioner's permission, for a longer period
if
(a) the applicant does not give enough detail to enable
the organization to identify the personal information requested,
(b) a large amount of personal information is requested
or must be searched and meeting the time limit would unreasonably
interfere with the operations of the organization, or
(c) more time is needed to consult with another organization
or public body before the organization is able to decide
whether or not to give the applicant access to a requested
document.
(2) If the time is extended under subsection (1), the organization
must tell the applicant
(a) the reason for the extension,
(b) the time when a response from the organization can
be expected, and
(c) the rights of the applicant to complain about the extension
and request that an order be made under section 52(3)(b).
Fees
32 (1) An organization must not charge an individual a fee
respecting employee personal information concerning the individual.
(2) An organization may charge an individual who makes a
request under section 23 a minimal fee for access to the individual's
personal information that is not employee personal information
concerning the individual.
(3) If an individual is required by an organization to pay
a fee for se | 
