Jurisdiction and Commissioner
Powers
PIPEDA Index
|
| |
|
|
|
|
| |
|
|
|
|
BILL C-6 - ASSENTED TO 13th APRIL, 2000
Note: This is copy of the Act with copies of relevent
regulations. See PIPEDA
Act.
PART
1 |
PROTECTION OF PERSONAL
INFORMATION IN THE PRIVATE SECTOR |
|
Interpretation
|
| Definitions |
2.
(1) The definitions in this subsection apply
in this Part.
|
| alternative format |
``alternative format'',
with respect to personal information, means a format
that allows a person with a sensory disability to read
or listen to the personal information.
|
commercial
activity
|
``commercial activity''
means any particular transaction, act or conduct or
any regular course of conduct that is of a commercial
character, including the selling, bartering or leasing
of donor, membership or other fundraising lists.
|
| Commission |
``Commissioner'' means
the Privacy Commissioner appointed under section 53
of the Privacy Act
|
| ``Court'' |
``Court'' means the Federal
Court-Trial Division.
|
| ``federal
work, undertaking or business'' |
``federal work,
undertaking or business'' means any work, undertaking
or business that is within the legislative authority of
Parliament. It includes |
|
( a ) a work, undertaking or business that
is operated or carried on for or in connection with
navigation and shipping, whether inland or maritime,
including the operation of ships and transportation
by ship anywhere in Canada;
|
|
( b ) a railway, canal, telegraph or other
work or undertaking that connects a province with
another province, or that extends beyond the limits
of a province;
|
|
( c ) a line of ships that connects a province
with another province, or that extends beyond the
limits of a province;
|
|
( d ) a ferry between a province and another
province or between a province and a country other
than Canada;
|
|
( e ) aerodromes, aircraft or a line of
air transportation;
|
|
( f ) a radio broadcasting station;
|
|
( g ) a bank;
|
|
( h ) a work that, although wholly situated
within a province, is before or after its execution
declared by Parliament to be for the general advantage
of Canada or for the advantage of two or more provinces;
|
|
( i ) a work, undertaking or business outside
the exclusive legislative authority of the legislatures
of the provinces; and
|
|
( j ) a work, undertaking or business to
which federal laws, within the meaning of section
2 of the Oceans Act , apply under section
20 of that Act and any regulations made under paragraph
26(1)( k ) of that Act.
|
organization
|
``organization''
includes an association, a partnership, a person and
a trade union.
|
``personal health information''
|
``personal health
information'', with respect to an individual,
whether living or deceased, means |
|
( a ) information concerning the physical
or mental health of the individual;
|
|
( b ) information concerning any health
service provided to the individual;
|
|
( c ) information concerning the donation
by the individual of any body part or any bodily substance
of the individual or information derived from the
testing or examination of a body part or bodily substance
of the individual;
|
|
( d ) information that is collected in
the course of providing health services to the individual;
or
|
|
( e ) information that is collected incidentally
to the provision of health services to the individual.
|
``personal
information''
|
``personal information''
means information about an identifiable individual,
but does not include the name, title or business address
or telephone number of an employee of an organization.
|
``record''
« document » |
``record''
includes any correspondence, memorandum, book, plan,
map, drawing, diagram, pictorial or graphic work, photograph,
film, microform, sound recording, videotape, machine-readable
record and any other documentary material, regardless
of physical form or characteristics, and any copy of
any of those things.
|
| Notes in Schedule 1 |
(2) In this Part, a reference
to clause 4.3 or 4.9 of Schedule 1 does not include
a reference to the note that accompanies that clause.
|
|
Purpose
|
| Purpose |
3.
The purpose of this Part is to establish,
in an era in which technology increasingly facilitates
the circulation and exchange of information, rules to
govern the collection, use and disclosure of personal
information in a manner that recognizes the right of
privacy of individuals with respect to their personal
information and the need of organizations to collect,
use or disclose personal information for purposes that
a reasonable person would consider appropriate in the
circumstances.
|
|
Application |
| Application
|
4.
(1) This Part applies to every organization
in respect of personal information that |
|
( a ) the organization collects, uses or
discloses in the course of commercial activities;
or
|
|
( b ) is about an employee of the
organization and that the organization collects, uses
or discloses in connection with the operation of a
federal work, undertaking or business.
|
| Limit |
(2) This Part does not
apply to |
|
|
|
( b ) any individual in respect of personal
information that the individual collects, uses or
discloses for personal or domestic purposes and does
not collect, use or disclose for any other purpose;
or
|
|
( c ) any organization in respect of personal
information that the organization collects, uses or
discloses for journalistic, artistic or literary purposes
and does not collect, use or disclose for any other
purpose.
|
| Other Acts |
(3) Every provision of
this Part applies despite any provision, enacted after
this subsection comes into force, of any other Act of
Parliament, unless the other Act expressly declares
that that provision operates despite the provision of
this Part. |
|
DIVISION 1
|
|
PROTECTION OF PERSONAL
INFORMATION
|
| Compliance with obligations
|
5.
(1) Subject to sections 6 to 9, every organization
shall comply with the obligations set out in Schedule
1. |
| Meaning of ``should'' |
(2) The word ``should'',
when used in Schedule 1, indicates a recommendation
and does not impose an obligation. |
| Appropriate
purposes |
(3) An organization may
collect, use or disclose personal information only for
purposes that a reasonable person would consider
are appropriate in the circumstances. |
| Effect of designation of individual
|
6.
The designation of an individual under clause
4.1 of Schedule 1 does not relieve the organization
of the obligation to comply with the obligations set
out in that Schedule. |
| Collection without
knowledge or consent |
7.
(1) For the purpose of clause 4.3 of Schedule
1, and despite the note that accompanies that clause,
an organization may collect personal information without
the knowledge or consent of the individual only if |
|
( a ) the collection is clearly in the interests
of the individual and consent cannot be obtained in
a timely way;
|
|
( b ) it is reasonable to expect that the
collection with the knowledge or consent of the individual
would compromise the availability or the accuracy
of the information and the collection is reasonable
for purposes related to investigating a breach of
an agreement or a contravention of the laws of Canada
or a province;
|
|
( c ) the collection is solely for journalistic,
artistic or literary purposes; or
|
|
|
| Use
without knowledge or consent |
(2) For the purpose of
clause 4.3 of Schedule 1, and despite the note that
accompanies that clause, an organization may, without
the knowledge or consent of the individual, use personal
information only if |
|
( a ) in the course of its activities, the
organization becomes aware of information that it
has reasonable grounds to believe could be useful
in the investigation of a contravention of the laws
of Canada, a province or a foreign jurisdiction that
has been, is being or is about to be committed, and
the information is used for the purpose of investigating
that contravention;
|
|
( b ) it is used for the purpose of acting
in respect of an emergency that threatens the life,
health or security of an individual;
|
| Research |
( c ) it is used for statistical, or scholarly
study or research, purposes that cannot be achieved
without using the information, the information is
used in a manner that will ensure its confidentiality,
it is impracticable to obtain consent and the organization
informs the Commissioner of the use before the information
is used;
|
|
|
|
|
| Disclosure
without knowledge or consent |
(3) For the purpose of
clause 4.3 of Schedule 1, and despite the note that
accompanies that clause, an organization may disclose
personal information without the knowledge or consent
of the individual only if the disclosure is |
|
( a ) made to, in the Province of Quebec,
an advocate or notary or, in any other province, a
barrister or solicitor who is representing the organization;
|
|
|
|
( c ) required to comply with a subpoena
or warrant issued or an order made by a court, person
or body with jurisdiction to compel the production
of information, or to comply with rules of court relating
to the production of records;
|
|
( c .1) made to a government institution
or part of a government institution that has made
a request for the information, identified its lawful
authority to obtain the information and indicated
that
|
|
|
|
(ii) the disclosure is requested for the purpose
of enforcing any law of Canada, a province or a
foreign jurisdiction, carrying out an investigation
relating to the enforcement of any such law or gathering
intelligence for the purpose of enforcing any such
law, or
|
|
|
| Investigative
Body |
|
|
(i) has reasonable grounds to believe that the
information relates to a breach of an agreement
or a contravention of the laws of Canada, a province
or a foreign jurisdiction that has been, is being
or is about to be committed, or
|
|
(ii) suspects that the information relates to national
security, the defence of Canada or the conduct of
international affairs;
|
|
( e ) made to a person who needs the information
because of an emergency that threatens the life, health
or security of an individual and, if the individual
whom the information is about is alive, the organization
informs that individual in writing without delay of
the disclosure;
|
|
( f ) for statistical, or scholarly study
or research, purposes that cannot be achieved without
disclosing the information, it is impracticable to
obtain consent and the organization informs the Commissioner
of the disclosure before the information is disclosed;
|
|
( g ) made to an institution whose functions
include the conservation of records of historic or
archival importance, and the disclosure is made for
the purpose of such conservation;
|
|
|
|
|
|
|
| Publicly
Available |
|
|
( h .2) made by an investigative body and
the disclosure is reasonable for purposes related
to investigating a breach of an agreement or a contravention
of the laws of Canada or a province; or
|
|
|
| Use without consent |
(4) Despite clause 4.5
of Schedule 1, an organization may use personal information
for purposes other than those for which it was collected
in any of the circumstances set out in subsection (2).
|
| Disclosure without consent
|
(5) Despite clause 4.5
of Schedule 1, an organization may disclose personal
information for purposes other than those for which
it was collected in any of the circumstances set out
in paragraphs (3)( a ) to ( h .2).
|
| Written request |
8.
(1) A request under clause 4.9 of Schedule
1 must be made in writing. |
| Assistance |
(2)
An organization shall assist any individual who informs
the organization that they need assistance in preparing
a request to the organization. |
| Time limit |
(3)
An organization shall respond to a request with due
diligence and in any case not later than thirty days
after receipt of the request. |
| Extension of time limit |
(4)
An organization may extend the time limit |
|
|
|
|
|
|
|
( b ) for the period that is necessary in order to be able to convert the personal information into an alternative format.
|
|
|
In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.
|
|
| Deemed refusal |
(5) If the organization fails to respond within the time limit, the organization is deemed to have refused the request.
|
|
Fees
Costs for responding
|
(6) An organization may respond to an individual's request at a cost to the individual only if |
|
|
|
|
|
|
|
| Reasons |
(7) An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.
|
|
| Retention of information |
(8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.
|
|
| When access prohibited |
9. (1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
|
|
| Limit |
(2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual's life, health or security is threatened.
|
|
| Information related to paragraphs 7(3)( c ), ( c .1) or ( d ) |
(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization
|
|
|
|
|
|
|
|
|
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)( c ) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)( c .1)(i) or (ii); or
|
|
|
|
|
| Notification and response |
(2.2) An organization to which subsection (2.1) applies
|
|
|
( a ) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and
|
|
|
|
|
|
|
|
|
|
|
| Objection |
(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to
|
|
|
( a ) national security, the defence of Canada or the conduct of international affairs; or
|
|
|
( b ) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.
|
|
| Prohibition |
(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization
|
|
|
( a ) shall refuse the request to the extent that it relates to paragraph (2.1)( a ) or to information referred to in subparagraph (2.1)( a )(ii);
|
|
|
( b ) shall notify the Commissioner, in writing and without delay, of the refusal; and
|
|
|
|
|
|
(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)( c ), subparagraph 7(3)( c .1)(i) or (ii) or paragraph 7(3)( d ) or to a request made by a government institution or a part of a government institution under either of those subparagraphs,
|
|
|
|
|
|
|
|
| When access may be refused |
(3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
However, in the circumstances described in paragraph ( b ) or ( c ), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.
|
|
| Limit |
(4) Subsection (3) does not apply if the individual needs the information because an individual's life, health or security is threatened.
|
|
| Notice |
(5) If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)( c .1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.
|
|
| Sensory disability |
10. An organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format if
|
|
|
|
|
|
( b ) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Part.
|
|
|
DIVISION 2
|
|
|
REMEDIES
|
|
|
Filing of Complaints
|
|
Contraven-
tion |
11.
(1) An individual may file with the Commissioner
a written complaint against an organization for contravening
a provision of Division 1 or for not following a recommendation
set out in Schedule 1.
|
|
| Commissioner may initiate complaint |
(2) If the Commissioner is satisfied that there are reasonable grounds to investigate a matter under this Part, the Commissioner may initiate a complaint in respect of the matter.
|
|
| Time limit |
(3) A complaint that results from the refusal to grant a request under section 8 must be filed within six months, or any longer period that the Commissioner allows, after the refusal or after the expiry of the time limit for responding to the request, as the case may be.
|
|
| Notice |
(4) The Commissioner shall give notice of a complaint to the organization against which the complaint was made.
|
|
|
Investigations of Complaints
|
|
| Powers of Commissioner |
12.
(1) The Commissioner shall conduct an investigation
in respect of a complaint and, for that purpose, may
|
|
|
( a ) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary to investigate the complaint, in the same manner and to the same extent as a superior court of record;
|
|
|
|
|
|
( c ) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;
|
|
|
( d ) at any reasonable time, enter any premises, other than a dwelling-house, occupied by an organization on satisfying any security requirements of the organization relating to the premises;
|
|
|
( e ) converse in private with any person in any premises entered under paragraph ( d ) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and
|
|
|
( f ) examine or obtain copies of or extracts from records found in any premises entered under paragraph ( d ) that contain any matter relevant to the investigation.
|
|
| Dispute resolution mechanisms |
(2) The Commissioner may attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.
|
|
| Delegation |
(3) The Commissioner may delegate any of the powers set out in subsection (1) or (2).
|
|
| Return of records |
(4) The Commissioner or the delegate shall return to a person or an organization any record or thing that they produced under this section within ten days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.
|
|
| Certificate of delegation |
(5) Any person to whom powers set out in subsection (1) are delegated shall be given a certificate of the delegation and the delegate shall produce the certificate, on request, to the person in charge of any premises to be entered under paragraph (1)( d ).
|
|
|
Commissioner's Report
|
|
| Contents |
13.
(1) The Commissioner shall, within one year
after the day on which a complaint is filed or is initiated
by the Commissioner, prepare a report that contains
|
|
|
|
|
|
|
|
|
( c ) if appropriate, a request that the organization give the Commissioner, within a specified time, notice of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken; and
|
|
|
( d ) the recourse, if any, that is available under section 14.
|
|
| Where no report |
(2) The Commissioner is not required to prepare a report if the Commissioner is satisfied that
|
|
|
( a ) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available;
|
|
|
( b ) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province;
|
|
|
( c ) the length of time that has elapsed between the date when the subject-matter of the complaint arose and the date when the complaint was filed is such that a report would not serve a useful purpose; or
|
|
|
( d ) the complaint is trivial, frivolous or vexatious or is made in bad faith.
|
|
|
If a report is not to be prepared, the Commissioner shall inform the complainant and the organization and give reasons.
|
|
| Report to parties |
(3) The report shall be sent to the complainant and the organization without delay.
|
|
|
Hearing by Court
|
|
| Application |
14.
(1) A complainant may, after receiving the
Commissioner's report, apply to the Court for a hearing
in respect of any matter in respect of which the complaint
was made, or that is referred to in the Commissioner's
report, and that is referred to in clause 4.1.3, 4.2,
4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause
4.3, 4.5 or 4.9 of that Schedule as modified or clarified
by Division 1, in subsection 5(3) or 8(6) or (7) or
in section 10.
|
|
| Time of application |
(2) The application must be made within forty-five days after the report is sent or within any further time that the Court may, either before or after the expiry of those forty-five days, allow.
|
|
| For greater certainty |
(3) For greater certainty, subsections (1) and (2) apply in the same manner to complaints referred to in subsection 11(2) as to complaints referred to in subsection 11(1).
|
|
| Commissioner may apply or appear |
15.
The Commissioner may, in respect of a complaint
that the Commissioner did not initiate,
|
|
|
( a ) apply to the Court, within the time limited by section 14, for a hearing in respect of any matter described in that section, if the Commissioner has the consent of the complainant;
|
|
|
( b ) appear before the Court on behalf of any complainant who has applied for a hearing under section 14; or
|
|
|
( c ) with leave of the Court, appear as a party to any hearing applied for under section 14.
|
|
| Remedies |
16.
The Court may, in addition to any other remedies
it may give,
|
|
|
|
|
|
( b ) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph ( a ); and
|
|
|
( c ) award damages to the complainant, including damages for any humiliation that the complainant has suffered.
|
|
| Summary hearings |
17.
(1) An application made under section 14 or
15 shall be heard and determined without delay and in
a summary way unless the Court considers it inappropriate
to do so.
|
|
| Precautions |
(2) In any proceedings arising from an application made under section 14 or 15, the Court shall take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1.
|
|
|
DIVISION 3
|
|
|
AUDITS
|
|
| To ensure compliance |
18.
(1) The Commissioner may, on reasonable notice
and at any reasonable time, audit the personal information
management practices of an organization if the Commissioner
has reasonable grounds to believe that the organization
is contravening a provision of Division 1 or is not
following a recommendation set out in Schedule 1, and
for that purpose may |
|
|
( a ) summon and enforce the appearance
of persons before the Commissioner and compel them
to give oral or written evidence on oath and to produce
any records and things that the Commissioner considers
necessary for the audit, in the same manner and to
the same extent as a superior court of record;
|
|
|
|
|
|
( c ) receive and accept any evidence and
other information, whether on oath, by affidavit or
otherwise, that the Commissioner sees fit, whether
or not it is or would be admissible in a court of
law;
|
|
|
( d ) at any reasonable time, enter any
premises, other than a dwelling-house, occupied by
the organization on satisfying any security requirements
of the organization relating to the premises;
|
|
|
( e ) converse in private with any person
in any premises entered under paragraph ( d )
and otherwise carry out in those premises any inquiries
that the Commissioner sees fit; and
|
|
|
( f ) examine or obtain copies of or extracts
from records found in any premises entered under paragraph
( d ) that contain any matter relevant to
the audit.
|
|
| Delegation |
(2) The Commissioner may
delegate any of the powers set out in subsection (1).
|
|
| Return of records |
(3) The Commissioner or
the delegate shall return to a person or an organization
any record or thing they produced under this section
within ten days after they make a request to the Commissioner
or the delegate, but nothing precludes the Commissioner
or the delegate from again requiring that the record
or thing be produced. |
|
| Certificate of delegation
|
(4) Any person to whom
powers set out in subsection (1) are delegated shall
be given a certificate of the delegation and the delegate
shall produce the certificate, on request, to the person
in charge of any premises to be entered under paragraph
(1)( d ). |
|
Report of findings and recommenda-
tions |
19.
(1) After an audit, the Commissioner shall
provide the audited organization with a report that
contains the findings of the audit and any recommendations
that the Commissioner considers appropriate. |
|
| Reports may be included in
annual reports |
(2) The report may be included
in a report made under section 25. |
|
|
DIVISION 4
|
|
|
GENERAL-Commissioners
Powers
|
|
Confiden-
tiality |
20.
(1) Subject to subsections (2) to (5), 13(3)
and 19(1), the Commissioner or any person acting on
behalf or under the direction of the Commissioner shall
not disclose any information that comes to their knowledge
as a result of the performance or exercise of any of
the Commissioner's duties or powers under this Part.
|
|
| Public interest |
(2) The Commissioner may
make public any information relating to the personal
information management practices of an organization
if the Commissioner considers that it is in the public
interest to do so. |
|
| Disclosure of necessary information
|
(3) The Commissioner may
disclose, or may authorize any person acting on behalf
or under the direction of the Commissioner to disclose,
information that in the Commissioner's opinion is necessary
to |
|
|
|
|
|
( b ) establish the grounds for findings
and recommendations contained in any report under
this Part.
|
|
| Disclosure in the course of
proceedings |
(4) The Commissioner may
disclose, or may authorize any person acting on behalf
or under the direction of the Commissioner to disclose,
information in the course of |
|
|
|
|
|
( b ) a prosecution for an offence under
section 132 of the Criminal Code (perjury)
in respect of a statement made under this Part;
|
|
|
|
|
|
|
|
| Disclosure of offence authorized
|
(5) The Commissioner may
disclose to the Attorney General of Canada or of a province,
as the case may be, information relating to the commission
of an offence against any law of Canada or a province
on the part of an officer or employee of an organization
if, in the Commissioner's opinion, there is evidence
of an offence. |
|
| Not competent witness |
21.
The Commissioner or person acting on behalf
or under the direction of the Commissioner is not a
competent witness in respect of any matter that comes
to their knowledge as a result of the performance or
exercise of any of the Commissioner's duties or powers
under this Part in any proceeding other than |
|
|
|
|
|
