Personal Information Protection and Electronic Documents Act

This Act may be cited as the Personal Information Protection and Electronic Documents Act.

The definitions in this subsection apply in this Part.

alternative format, with respect to personal information, means a format that allows a person with a sensory disability to read or listen to the personal information. (support de substitution)

breach of security safeguards means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards. (atteinte aux mesures de sécurité)

business contact information means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address. (coordonnées d’affaires)

business transaction includes

the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;

the merger or amalgamation of two or more organizations;

the making of a loan or provision of other financing to an organization or a part of an organization;

the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;

the lease or licensing of any of an organization’s assets; and

any other prescribed arrangement between two or more organizations to conduct a business activity. (transaction commerciale)

commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. (activité commerciale)

Commissioner means the Privacy Commissioner appointed under section 53 of the Privacy Act. (commissaire)

Court means the Federal Court. (Cour)

federal work, undertaking or business means any work, undertaking or business that is within the legislative authority of Parliament. It includes

a work, undertaking or business that is operated or carried on for or in connection with navigation and shipping, whether inland or maritime, including the operation of ships and transportation by ship anywhere in Canada;

a railway, canal, telegraph or other work or undertaking that connects a province with another province, or that extends beyond the limits of a province;

a line of ships that connects a province with another province, or that extends beyond the limits of a province;

a ferry between a province and another province or between a province and a country other than Canada;

aerodromes, aircraft or a line of air transportation;

a radio broadcasting station;

a bank or an authorized foreign bank as defined in section 2 of the Bank Act;

a work that, although wholly situated within a province, is before or after its execution declared by Parliament to be for the general advantage of Canada or for the advantage of two or more provinces;

a work, undertaking or business outside the exclusive legislative authority of the legislatures of the provinces; and

a work, undertaking or business to which federal laws, within the meaning of section 2 of the Oceans Act, apply under section 20 of that Act and any regulations made under paragraph 26(1)(k) of that Act. (entreprises fédérales)

organization includes an association, a partnership, a person and a trade union. (organisation)

personal health information, with respect to an individual, whether living or deceased, means

information concerning the physical or mental health of the individual;

information concerning any health service provided to the individual;

information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;

information that is collected in the course of providing health services to the individual; or

information that is collected incidentally to the provision of health services to the individual. (renseignement personnel sur la santé)

personal information means information about an identifiable individual. (renseignement personnel)

prescribed means prescribed by regulation. (Version anglaise seulement)

record includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things. (document)

In this Part, a reference to clause 4.3 or 4.9 of Schedule 1 does not include a reference to the note that accompanies that clause.

The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.

This Part applies to every organization in respect of personal information that

the organization collects, uses or discloses in the course of commercial activities; or

is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

This Part applies to an organization set out in column 1 of Schedule 4 in respect of personal information set out in column 2.

This Part does not apply to

any government institution to which the Privacy Act applies;

any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or

any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.

Every provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part. [Note: Subsection 4(3) in force January 1, 2001, see SI/2000-29.]

This Part does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.

If a certificate under section 38.13 or 38.41 of the Canada Evidence Act prohibiting the disclosure of personal information of a specific individual is issued before a complaint is filed by that individual under this Part in respect of a request for access to that information, the provisions of this Part respecting that individual’s right of access to their personal information do not apply to the information that is subject to the certificate.

Despite any other provision of this Part, if a certificate under section 38.13 or 38.41 of the Canada Evidence Act prohibiting the disclosure of personal information of a specific individual is issued after the filing of a complaint under this Part in relation to a request for access to that information:

all proceedings under this Part in respect of that information, including an investigation, audit, appeal or judicial review, are discontinued;

the Commissioner shall not disclose the information and shall take all necessary precautions to prevent its disclosure; and

the Commissioner shall, within 10 days after the certificate is published in the Canada Gazette, return the information to the organization that provided the information.

The Commissioner and every person acting on behalf or under the direction of the Commissioner, in carrying out their functions under this Part, shall not disclose information subject to a certificate issued under section 38.13 or 38.41 of the Canada Evidence Act, and shall take every reasonable precaution to avoid the disclosure of that information.

The Commissioner may not delegate the investigation of any complaint relating to information subject to a certificate issued under section 38.13 or 38.41 of the Canada Evidence Act except to one of a maximum of four officers or employees of the Commissioner specifically designated by the Commissioner for the purpose of conducting that investigation.

Subject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.

The word should, when used in Schedule 1, indicates a recommendation and does not impose an obligation.

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

The designation of an individual under clause 4.1 of Schedule 1 does not relieve the organization of the obligation to comply with the obligations set out in that Schedule.

For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if

the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;

it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;

it was disclosed under paragraph (3)(d.21);

it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;

it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;

the collection is solely for journalistic, artistic or literary purposes;

the information is publicly available and is specified by the regulations; or

the collection is made for the purpose of making a disclosure

under subparagraph (3)(c.1)(i) or (d)(ii), or

that is required by law.

For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if

in the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention;

it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual;

the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;

the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced;

it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used;

it is publicly available and is specified by the regulations; or

it was collected under paragraph (1)(a), (b), (b.01) or (e).

For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

made to, in the Province of Quebec, an advocate or notary or, in any other province, a barrister or solicitor who is representing the organization;

for the purpose of collecting a debt owed by the individual to the organization;

required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,

the disclosure is requested for the purpose of administering any law of Canada or a province, or

the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;

made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section;

made on the initiative of the organization to a government institution or a part of a government institution and the organization

has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

made to another organization under subsection 11.01(1) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;

made on the initiative of the organization to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and

the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse,

the disclosure is made solely for purposes related to preventing or investigating the abuse, and

it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse;

necessary to identify the individual who is injured, ill or deceased, made to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and, if the individual is alive, the organization informs that individual in writing without delay of the disclosure;

made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

of information that is contained in a witness statement and the disclosure is necessary to assess, process or settle an insurance claim;

of information that was produced by the individual in the course of their employment, business or profession and the disclosure is consistent with the purposes for which the information was produced;

for statistical, or scholarly study or research, purposes that cannot be achieved without disclosing the information, it is impracticable to obtain consent and the organization informs the Commissioner of the disclosure before the information is disclosed;

made to an institution whose functions include the conservation of records of historic or archival importance, and the disclosure is made for the purpose of such conservation;

made after the earlier of

one hundred years after the record containing the information was created, and

twenty years after the death of the individual whom the information is about;

of information that is publicly available and is specified by the regulations; or

[Repealed, 2015, c. 32, s. 6]

required by law.

Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection (2).

Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.1).

The following definitions apply in this section.

access means to program, to execute programs on, to communicate with, to store data in, to retrieve data from, or to otherwise make use of any resources, including data or programs on a computer system or a computer network. (utiliser)

computer program has the same meaning as in subsection 342.1(2) of the Criminal Code. (programme d’ordinateur)

computer system has the same meaning as in subsection 342.1(2) of the Criminal Code. (ordinateur)

electronic address means an address used in connection with

an electronic mail account;

an instant messaging account; or

any similar account. (adresse électronique)

Paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of

the collection of an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; or

the use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a).

Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of

the collection of personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament; or

the use of personal information that is collected in a manner described in paragraph (a).

In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if

the organizations have entered into an agreement that requires the organization that receives the personal information

to use and disclose that information solely for purposes related to the transaction,

to protect that information by security safeguards appropriate to the sensitivity of the information, and

if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

the personal information is necessary

to determine whether to proceed with the transaction, and

if the determination is made to proceed with the transaction, to complete it.

In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if

the organizations have entered into an agreement that requires each of them

to use and disclose the personal information under its control solely for the purposes for which the personal information was collected, permitted to be used or disclosed before the transaction was completed,

to protect that information by security safeguards appropriate to the sensitivity of the information, and

to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

one of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).

An organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).

Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information.

In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.

Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.

A request under clause 4.9 of Schedule 1 must be made in writing.

An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

An organization may extend the time limit In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

for a maximum of thirty days if

meeting the time limit would unreasonably interfere with the activities of the organization, or

the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or

for the period that is necessary in order to be able to convert the personal information into an alternative format.

If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

An organization may respond to an individual’s request at a cost to the individual only if

the organization has informed the individual of the approximate cost; and

the individual has advised the organization that the request is not being withdrawn.

An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.

Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.

Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual’s life, health or security is threatened.

An organization shall comply with subsection (2.2) if an individual requests that the organization

inform the individual about

any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or

the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

give the individual access to the information referred to in subparagraph (a)(ii).

An organization to which subsection (2.1) applies

shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

shall not respond to the request before the earlier of

the day on which it is notified under subsection (2.3), and

thirty days after the day on which the institution or part was notified.

Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

national security, the defence of Canada or the conduct of international affairs;

the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);

shall notify the Commissioner, in writing and without delay, of the refusal; and

shall not disclose to the individual

any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,

that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or