S.C. 2000, c. 5 Assented to 2000-04-13 An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act Her Majesty, by and with the advice and consent of the Senate and
House of Commons of Canada, enacts as follows: Marginal note:Short title 1 This Act may be cited as the Personal Information Protection and Electronic Documents Act. Marginal note:Definitions 2 (1) The definitions in this subsection apply in this Part. alternative format, with respect to personal information, means a format that allows a person with a sensory disability to read or
listen to the personal information. (support de substitution) breach of security safeguards means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.
(atteinte aux mesures de sécurité) business contact information means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic
address. (coordonnées d’affaires) business transaction includes (a) the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets; (b) the merger or amalgamation of two or more organizations; (c) the
making of a loan or provision of other financing to an organization or a part of an organization; (d) the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization; (e) the lease or licensing of any of an organization’s assets; and (f) any other prescribed arrangement between two or more
organizations to conduct a business activity. (transaction commerciale) commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. (activité commerciale) Commissioner means the Privacy Commissioner appointed under section 53 of the Privacy Act. (commissaire) Court means the Federal Court. (Cour) federal work, undertaking or business means any work, undertaking or business that is within the legislative authority of Parliament. It includes (a) a work, undertaking or business that is operated or carried on for or in connection with navigation and shipping, whether inland or maritime, including the operation of ships and transportation by ship anywhere in Canada; (b) a railway, canal, telegraph or other work or undertaking that connects a province with another province, or that extends beyond the limits of a province; (c) a line of ships that connects a province with another province, or that extends beyond the limits of a province; (d) a ferry between a province and another province or between a province and a country other than
Canada; (e) aerodromes, aircraft or a line of air transportation; (f) a radio broadcasting station; (g) a bank or an authorized foreign bank as defined in section 2 of the Bank Act; (h) a work that, although wholly situated
within a province, is before or after its execution declared by Parliament to be for the general advantage of Canada or for the advantage of two or more provinces; (i) a work, undertaking or business outside the exclusive legislative authority of the legislatures of the provinces; and (j) a work, undertaking or business to which federal laws, within the meaning of section 2 of the Oceans Act, apply under section 20 of that Act and any regulations made under paragraph 26(1)(k) of that Act. (entreprises fédérales) organization includes an association, a partnership, a person and a trade union. (organisation) personal health information, with respect to an individual, whether living or deceased, means (a) information concerning the physical or mental health of the individual; (b) information concerning any health service provided to the individual; (c) information concerning the donation by the individual of
any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual; (d) information that is collected in the course of providing health services to the individual; or (e) information that is collected incidentally to the provision of health services to the individual. (renseignement personnel sur
la santé) personal information means information about an identifiable individual. (renseignement personnel) prescribed means prescribed by regulation. (Version anglaise seulement) record includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things. (document) Marginal note:Notes in Schedule 1 (2) In
this Part, a reference to clause 4.3 or 4.9 of Schedule 1 does not include a reference to the note that accompanies that clause. PurposeMarginal note:Purpose 3 The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. ApplicationMarginal note:Application
Marginal note:Business contact information 4.01 This Part does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.
Marginal note:Certificate under Canada Evidence Act
DIVISION 1Protection of Personal InformationMarginal note:Compliance with obligations
Marginal note:Effect of designation of individual 6 The designation of an individual under clause 4.1 of Schedule 1 does not relieve the organization of the obligation to comply with the obligations set out in that Schedule. Marginal note:Valid consent 6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
Marginal note:Collection without knowledge or consent
Marginal note:Definitions
Marginal note:Prospective business transaction
Marginal note:Employment relationship 7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if
Marginal note:Use without consent
Marginal note:Written request
Marginal note:When access prohibited
Marginal note:Sensory disability 10 An organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format if
DIVISION 1.1Breaches of Security SafeguardsMarginal note:Report to Commissioner
Marginal note:Notification to organizations
Marginal note:Records
DIVISION 2RemediesFiling of ComplaintsMarginal note:Contravention
Investigations of ComplaintsMarginal note:Examination of complaint by Commissioner
Marginal note:Powers of Commissioner
Discontinuance of InvestigationMarginal note:Reasons
Commissioner’s ReportMarginal note:Contents
Hearing by CourtMarginal note:Application
Marginal note:Commissioner may apply or appear 15 The Commissioner may, in respect of a complaint that the Commissioner did not initiate,
Marginal note:Remedies 16 The Court may, in addition to any other remedies it may give,
Marginal note:Summary hearings
Compliance AgreementsMarginal note:Compliance agreement
Marginal note:Agreement complied with
DIVISION 3AuditsMarginal note:To ensure compliance
Marginal note:Report of findings and recommendations
DIVISION 4GeneralMarginal note:Confidentiality
Marginal note:Not competent witness 21 The Commissioner or person acting on behalf or under the direction of the Commissioner is not a competent witness in respect of any matter that comes to their knowledge as a result of the performance or exercise of any of the Commissioner’s duties or powers under this Part in any proceeding other than
Marginal note:Protection of Commissioner
Marginal note:Consultations with provinces
Marginal note:Disclosure of information to foreign state
Marginal note:Promoting the purposes of the Part 24 The Commissioner shall
Marginal note:Annual report
Marginal note:Regulations
Marginal note:Whistleblowing
Marginal note:Prohibition
Marginal note:Offence and punishment 28 Every organization that knowingly contravenes subsection 8(8), section 10.1 or subsection 10.3(1) or 27.1(1) or that obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty of
Marginal note:Review of Part by parliamentary committee
DIVISION 5Transitional ProvisionsMarginal note:Application
PART 2Electronic DocumentsInterpretationMarginal note:Definitions
PurposeMarginal note:Purpose 32 The purpose of this Part is to provide for the use of electronic alternatives in the manner provided for in this Part where federal laws contemplate the use of paper to record or communicate information or transactions. Electronic AlternativesMarginal note:Collection, storage, etc. 33 A minister of the Crown and any department, branch, office, board, agency, commission, corporation or body for the administration of affairs of which a minister of the Crown is accountable to the Parliament of Canada may use electronic means to create, collect, receive, store, transfer, distribute, publish or otherwise deal with documents or information whenever a federal law does not specify the manner of doing so. Marginal note:Electronic payment 34 A payment that is required to be made to the Government of Canada may be made in electronic form in any manner specified by the Receiver General. Marginal note:Electronic version of statutory form
Marginal note:Documents as evidence or proof 36 A provision of a federal law that provides that a certificate or other document signed by a minister or public officer is proof of any matter or thing, or is admissible in evidence, is, subject to the federal law, satisfied by an electronic version of the certificate or other document if the electronic version is signed by the minister or public officer with that person’s secure electronic signature. Marginal note:Retention of documents 37 A requirement under a provision of a federal law to retain a document for a specified period is satisfied, with respect to an electronic document, by the retention of the electronic document if
Marginal note:Notarial act 38 A reference in a provision of a federal law to a document recognized as a notarial act in the province of Quebec is deemed to include an electronic version of the document if
Marginal note:Seals 39 A requirement under a provision of a federal law for a person’s seal is satisfied by a secure electronic signature that identifies the secure electronic signature as the person’s seal if the federal law or the provision is listed in Schedule 2 or 3. Marginal note:Requirements to provide documents or information 40 A provision of a federal law requiring a person to provide another person with a document or information, other than a provision referred to in any of sections 41 to 47, is satisfied by the provision of the document or information in electronic form if
Marginal note:Writing requirements 41 A requirement under a provision of a federal law for a document to be in writing is satisfied by an electronic document if
Marginal note:Original documents 42 A requirement under a provision of a federal law for a document to be in its original form is satisfied by an electronic document if
Marginal note:Signatures 43 Subject to sections 44 to 46, a requirement under a provision of a federal law for a signature is satisfied by an electronic signature if
Marginal note:Statements made under oath 44 A statement required to be made under oath or solemn affirmation under a provision of a federal law may be made in electronic form if
Marginal note:Statements declaring truth, etc. 45 A statement required to be made under a provision of a federal law declaring or certifying that any information given by a person making the statement is true, accurate or complete may be made in electronic form if
Marginal note:Witnessed signatures 46 A requirement under a provision of a federal law for a signature to be witnessed is satisfied with respect to an electronic document if
Marginal note:Copies 47 A requirement under a provision of a federal law for one or more copies of a document to be submitted is satisfied by the submission of an electronic document if
Regulations and OrdersMarginal note:Regulations
Marginal note:Amendment of schedules 49 For the purposes of sections 38 to 47, the responsible authority in respect of a provision of a federal law may, by order, amend Schedule 2 or 3 by adding or striking out a reference to that federal law or provision. Marginal note:Regulations
Marginal note:Effect of striking out listed provision 51 The striking out of a reference to a federal law or provision in Schedule 2 or 3 does not affect the validity of anything done in compliance with any regulation made under section 50 that relates to that federal law or provision while it was listed in that Schedule. PART 3Amendments to the Canada Evidence Act52 to 57 [Amendments] PART 4Amendments to the Statutory Instruments Act58 and 59 [Amendments] PART 5Amendments to the Statute Revision Act60 to 71 [Amendments] PART 6Coming into ForceMarginal note:Coming into force Footnote *72 Parts 1 to 5 or any provision of those Parts come into force on a day or days to be fixed by order of the Governor in Council made on the recommendation of
SCHEDULE 1(Section 5)Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-964.1 Principle 1 — AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles. 4.1.1 Accountability for the organization’s compliance with the principles rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s). 4.1.2 The identity of the individual(s) designated by the organization to oversee the organization’s compliance with the principles shall be made known upon request. 4.1.3 An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. 4.1.4 Organizations shall implement policies and practices to give effect to the principles, including
4.2 Principle 2 — Identifying PurposesThe purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. 4.2.1 The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9). 4.2.2 Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified. 4.2.3 The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes. 4.2.4 When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent principle (Clause 4.3). 4.2.5 Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected. 4.2.6 This principle is linked closely to the Limiting Collection principle (Clause 4.4) and the Limiting Use, Disclosure, and Retention principle (Clause 4.5). 4.3 Principle 3 - ConsentThe knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information. 4.3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified). 4.3.2 The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. 4.3.3 An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. 4.3.4 The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive. 4.3.5 In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception. 4.3.6 The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney). 4.3.7 Individuals can give consent in many ways. For example:
4.3.8 An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal. 4.4 Principle 4 — Limiting CollectionThe collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. 4.4.1 Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8). 4.4.2 The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception. 4.4.3 This principle is linked closely to the Identifying Purposes principle (Clause 4.2) and the Consent principle (Clause 4.3). 4.5 Principle 5 —Limiting Use, Disclosure, and RetentionPersonal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. 4.5.1 Organizations using personal information for a new purpose shall document this purpose (see Clause 4.2.1). 4.5.2 Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods. 4.5.3 Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information. 4.5.4 This principle is closely linked to the Consent principle (Clause 4.3), the Identifying Purposes principle (Clause 4.2), and the Individual Access principle (Clause 4.9). 4.6 Principle 6 — AccuracyPersonal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. 4.6.1 The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual. 4.6.2 An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected. 4.6.3 Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. 4.7 Principle 7 — SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information. 4.7.1 The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held. 4.7.2 The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4. 4.7.3 The methods of protection should include
4.7.4 Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information. 4.7.5 Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3). 4.8 Principle 8 — OpennessAn organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. 4.8.1 Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. 4.8.2 The information made available shall include
4.8.3 An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number. 4.9 Principle 9 — Individual AccessUpon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. 4.9.1 Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed. 4.9.2 An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose. 4.9.3 In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual. 4.9.4 An organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided. 4.9.5 When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question. 4.9.6 When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question. 4.10 Principle 10 — Challenging ComplianceAn individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance. 4.10.1 The individual accountable for an organization’s compliance is discussed in Clause 4.1.1. 4.10.2 Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use. 4.10.3 Organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist. For example, some regulatory bodies accept complaints about the personal-information handling practices of the companies they regulate. 4.10.4 An organization shall investigate all complaints. If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.
SCHEDULE 4(Subsection 4(1.1) and paragraph 26(2)(c))Organizations
Is whistleblowing the same as reporting an unauthorized disclosure?Is whistleblowing the same as reporting an unauthorized disclosure? No, they use different reporing procedures. The Whistleblower Protection Enhancement Act (WPEA) relates to reporting all of the following except? Classified info or controlled unclassifed info (CUI) in the public domain.
What is the name for the unintentional transfer of classified?Spills: The unintentional transfer of classified or sensitive information to unaccredited or unauthorized systems, individuals, applications, or media.
What is an unauthorized disclosure?Unauthorized disclosure means a communication or physical transfer of classified information to an unauthorized recipient.
What level of damage can the unauthorized disclosure of information classified as confidential cause?The unauthorized disclosure of Confidential information could reasonably be expected to cause damage to national security. The unauthorized disclosure of Secret information could reasonably be expected to cause serious damage to national security.
|