1. Office of the
Privacy Commissioner
of Canada
PIPEDA
A GUIDE FOR BUSINESSES AND ORGANIZATIONS
Your Privacy
Responsibilities
Canada’s Personal
Information Protection and
Electronic Documents Act
2.
3. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
About This Guide
This guide helps businesses understand and meet their new obligations under Part 1 of the
Personal Information Protection and Electronic Documents Act. *
The Act sets out ground rules for the management of personal information in the private sector.
It balances an individual’s right to the privacy of personal information with the need of organiza-
tions to collect, use or disclose personal information for legitimate business purposes.
The Act establishes the Privacy Commissioner of Canada as the ombudsman for complaints under
the new law. The Commissioner seeks whenever possible to solve problems through voluntary
compliance, rather than heavy-handed enforcement. The Commissioner investigates complaints,
conducts audits, promotes awareness of and undertakes research about privacy matters. The
Commissioner is also the ombudsman for complaints under the Privacy Act, which covers the fed-
eral public sector.
Part 1 of the Act came into force in three phases, beginning January 1, 2001.
For more information, contact:
The Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario K1A 1H3
Telephone: (613) 995-8210
Toll-free: 1 (800) 282-1376
Fax: (613) 947-6850
Web site: www.privcom.gc.ca
While prepared with care to ensure accuracy and completeness, this guide has no legal status.
For the official text of the new law, consult our Web site at www.privcom.gc.ca or call the Office
of the Privacy Commissioner of Canada.
IP54-2/2004
ISBN: 0-662-68004-9
Updated September 2009
* This guide deals only with Part 1 of the Act. All references to the Act in this document refer only to Part 1. Parts 2 to 5 of the Act concern
the use of electronic documents and signatures as legal alternatives to original documents and signatures. For information on these, con-
b tact the Department of Justice.
6. Introduction
T
he Office of the Privacy Commissioner Application to the
of Canada has prepared this guide to
help organizations fulfil their responsi-
Federal Court
bilities under the Personal Information After receiving the Office of the Privacy
Protection and Electronic Documents Act Commissioner of Canada’s investigation
(PIPEDA). PIPEDA is good news for both report, a complainant may apply to the
organizations and individuals. Individuals Federal Court for a hearing under certain
will appreciate doing business with organi- conditions as set out in Section 14 of the Act.
zations that demonstrate a respect for their The Privacy Commissioner of Canada may
privacy rights, which can ultimately lead to a also apply to the Court on her own or on the
competitive advantage. Organizations can complainant’s behalf. The Court may order
see this as an opportunity to review and an organization to change its practices
improve their personal information handling and/or award damages to a complainant,
practices. including damages for humiliation suffered.
The Act in Brief Audits
Organizations covered by the Act must
obtain an individual’s consent when they The Commissioner may, with reasonable
collect, use or disclose the individual’s per- grounds, audit the personal information
sonal information. The individual has a right management practices of an organization.
to access personal information held by an
organization and to challenge its accuracy, if
need be. Personal information can only be
Offences
used for the purposes for which it was col- It is an offence to:
lected. If an organization is going to use it I destroy personal information that an indi-
for another purpose, consent must be vidual has requested;
obtained again. Individuals should also be I retaliate against an employee who has
assured that their information will be pro- complained to the Commissioner or who
tected by specific safeguards, including refuses to contravene Sections 5 to 10 of
measures such as locked cabinets, computer the Act; or
passwords or encryption.
I obstruct a complaint investigation or an
audit by the Commissioner or her dele-
Complaints gate.
An individual may complain to the organiza-
tion in question or to the Office of the
Privacy Commissioner of Canada about any
alleged breaches of the law. The
Commissioner may also initiate a complaint,
1
if there are reasonable grounds.
7. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
DEFINITIONS
Personal information Use
Personal information includes any factual or subjective Refers to the treatment and handling of personal infor-
information, recorded or not, about an identifiable indi- mation within an organization.
vidual. This includes information in any form, such as: Federal work, undertaking or business
I age, name, ID numbers, income, ethnic origin, or blood Includes“any work, undertaking or business that is under
type; the legislative authority of Parliament” While most feder-
.
I opinions, evaluations, comments, social status, or dis- ally regulated organizations would be captured under
ciplinary actions; and this definition, not all these types of organizations
I employee files, credit records, loan records, medical are federal works. For instance, insurance companies
records, existence of a dispute between a consumer and credit unions may be subject to some federal regu-
and a merchant, intentions (for example, to acquire lation, but are considered to be within provincial juris-
goods or services, or change jobs) diction under the Constitution and are not federal works
for the purposes of the Act. The Act defines some of the
Personal information does not include the name, title or
specific federal works subject to Part 1 as follows:
business address or telephone number of an employee
I airports, aircraft or airlines
of an organization.
I banks
Commercial activity
Any particular transaction, act, or conduct, or any regular I grain elevators
course of conduct that is of a commercial character, I inter-provincial or international transportation by
including the selling, bartering or leasing of donor, mem- land or water
bership or other fund-raising lists. I nuclear facilities
Organization I telecommunications
An organization includes an association, a partnership, a
I offshore drilling operations
person or a trade union.
I radio and television broadcasting
Consent
Voluntary agreement with what is being done or pro- Note that this is not an exhaustive list of“federal works,
posed. Consent can be either express or implied. undertakings and businesses” The fact that your com-
.
Express consent is given explicitly, either orally or in writ- pany is federally incorporated does not necessarily
ing. Express consent is unequivocal and does not mean that it is a federal work, undertaking or business.
require any inference on the part of the organization If your company is subject to any part of the Canada
seeking consent. Implied consent arises where consent Labour Code, it is probably a federal work, undertaking
may reasonably be inferred from the action or inaction or business.
of the individual.
Disclosure
Making personal information available to others outside
the organization.
2
8. Is Your Organization
Subject to the Act?
PIPEDA came into effect in three January 1,2004
stages:
The Act extended to the collection, use or
disclosure of personal information in the
January 1,2001 course of any commercial activity within a
In its first stage, the Act began applying to province. However, the federal government
personal information (except personal may exempt organizations and/or activities
health information) that is collected, used or in provinces that have adopted substantially
disclosed in the course of commercial activi- similar privacy legislation. The Act also
ties by federal works, undertakings and busi- applies to all personal information in all
nesses. This includes, but is not limited to, interprovincial and international transac-
federally-regulated organizations such as tions by all organizations subject to the Act
banks, telecommunications and transporta- in the course of their commercial activities.
tion companies. To date, Quebec, British-Columbia and
At this stage the Act began applying to Alberta have adopted legislation deemed
personal data that is collected, used or dis- substantially similar to the federal law.The
closed by these same organizations about federal government has stated that organi-
their employees. In addition, at this stage zations and activities subject to the substan-
the Act began applying to disclosures of per- tially similar privacy legislation in these three
sonal information for consideration across provinces will be exempted from the federal
provincial or national borders, by organiza- act for intraprovincial matters.
tions such as credit reporting agencies or In November 2003, the Governor in
organizations that lease, sell or exchange Council issued an Order in Council declaring
mailing lists or other personal information. Quebec’s An Act Respecting the Protection of
The information itself must be the subject of Personal Information in the Private Sector
the transaction and the consideration is for substantially similar.The Act, which predated
the information. PIPEDA, came into effect on January 1, 1994.
British Columbia and Alberta each
adopted legislation in 2003 that applies to
January 1,2002 all organizations within the two provinces,
except for those covered by other provincial
The Act extended to personal health infor-
privacy legislation, and federal works, under-
mation for the organizations and activities
takings or businesses that remain subject to
covered in the first stage. Personal health
PIPEDA.The two laws – both called the
information is defined as information about
Personal Information Protection Act – came
an individual’s mental or physical health,
into force on January 1, 2004.The Governor
including information concerning health
in Council has issued two Orders in Council
services provided and information about
exempting organizations, other than federal
tests and examinations.
3
9. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
works, undertakings or businesses, in Alberta What is not covered
and British Columbia respectively, from the
application of PIPEDA.
by the Act?
Ontario’s Personal Health Information I The collection, use or disclosure of per-
Protection Act (PHIPA) came into force on sonal information by federal government
November 1, 2004. PHIPA establishes rules organizations listed under the Privacy Act
for the collection, use and disclosure of per- I Provincial or territorial governments and
sonal health information by health informa- their agents
I
tion custodians in Ontario. Health An employee’s name, title, business
information custodians are individuals or address or telephone number
organizations listed under PHIPA that, as a
I An individual’s collection, use or disclo-
result of their power or duties, have custody
sure of personal information strictly for
or control of personal health information.
personal purposes (e.g. personal greeting
In November 2005, the Governor in
card list)
Council issued an Order in Council exempt-
ing health information custodians in Ontario I An organization’s collection, use or disclo-
from the application of PIPEDA. As a result, sure of personal information solely for
Ontario health information custodians will journalistic, artistic or literary purposes
not be subject to PIPEDA with respect to the I Employee information – except in the
collection, use and disclosure of personal federally-regulated sector
health information.The Information and
Privacy Commissioner of Ontario will be See relevant fact sheets on this and other
responsible for ensuring compliance with issues on our Web site.
PHIPA, including investigating complaints
about the personal information practices of
health information custodians within the
province.
The Privacy Commissioner will continue
to be responsible for oversight in relation to
the collection, use and disclosure of personal
health information that crosses provincial
boundaries in the course of commercial
activity. As well, our Office will continue to
be responsible for personal health informa-
tion collected, used or disclosed in Ontario
in the course of commercial activities by
organizations that are not health informa-
tion custodians.
4
10. Your Responsibilities
under the Act
O
rganizations must follow a code for These principles must be read in conjunc-
the protection of personal informa- tion with key sections of the Act, particularly
tion, which is included in the Act as including:
Schedule 1.
The code was developed by business, Sections 2 to 10 of the Act
consumers, academics and government Schedule 1 must be read in conjunction with
under the auspices of the Canadian Sections 2 to 10 of the Act. It is essential to
Standards Association. carefully consider the obligations set out in
It lists 10 principles of fair information these sections, along with the 10 principles.
practices, which form ground rules for the
collection, use and disclosure of personal
Section 2
information. These principles give individu- I Provides definitions including commercial
als control over how their personal informa- activity, federal work, undertaking or busi-
tion is handled in the private sector. ness, personal information, personal
An organization is responsible for the pro- health information and organization.
tection of personal information and the fair I Specifies that the notes under clauses 4.3
handling of it at all times, throughout the and 4.9 of Schedule 1 are not part of
organization and in dealings with third par- the law.
ties. Care in collecting, using and disclosing
personal information is essential to contin- Section 3
ued consumer confidence and good will. Defines the purpose of the Act:
The 10 principles that businesses must I recognizes individuals’ right to privacy of
follow are: their personal information
1. Accountability I recognizes the need of organizations to
2. Identifying purposes collect, use or disclose personal informa-
3. Consent tion for legitimate business purposes
4. Limiting collection I establishes rules for handling personal
5. Limiting use, disclosure and retention information
6. Accuracy Section 4
7. Safeguards Defines the scope of the Act’s application:
8. Openness I covers all organizations that collect, use or
9. Individual access disclose personal information in the
10. Challenging compliance course of commercial activities
5
11. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
I includes the personal information of an Section 7
employee of a federal work, undertaking I Specifies the circumstances when personal
or business but not the personal informa- information may be collected, used or dis-
tion of other private sector employees. closed without the individual’s consent.
Section 5
Section 8
I Stipulates that every organization must
I Sets out procedures for individuals to
comply with the obligations of Schedule 1.
make requests for personal information
I Indicates what is not covered by the Act. and corrections to that information.
I In the Schedule:
I “shall”means an obligation Section 9
I “should”means a recommendation, I Explains when access to personal
not an obligation. information may be refused.
I Limits the collection, use and disclosure Section 10
to purposes that a reasonable person
I Defines an organization’s obligation to
would consider appropriate in the
provide personal information in an alter-
circumstances. The reasonable person’s
native format (e.g. Braille, large print or
perspective must be taken into account
audio tape) to a person with a sensory
when applying any aspect of Part 1 of
disability.
the Act.
Section 6
I Establishes that identifying an individual
to be accountable for compliance does
not mean that the organization is not
responsible for its obligations as set out in
Schedule 1.
6
12. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T
Fair Information Principles
This section sets out the responsibilities for each of the 10 fair information principles
of Schedule 1. It outlines how to fulfil these responsibilities and offers some tips.
1. Be accountable
Your responsibilities
I Comply with all 10 of the principles of TIPS
Schedule 1. Train your front-line and management staff and keep them
I Appoint an individual (or individuals) to informed, so they can answer the following questions:
be responsible for your organization’s I How do I respond to public inquiries regarding our organiza-
compliance.
tion’s privacy policies?
I Protect all personal information held by
I What is consent? When and how is it to be obtained?
your organization or transferred to a third
I How do I recognize and process requests for access to
party for processing.
I Develop and implement personal infor- personal information?
I To whom should I refer complaints about privacy matters?
mation policies and practices.
I What are the ongoing activities and new initiatives relating to
How to fulfil these responsibilities the protection of personal information at our organization?
I Give your designated privacy official sen- I What are the ongoing activities and new initiatives relating to
ior management support and the author- the protection of personal information at our organization?
ity to intervene on privacy issues relating
to any of your organization’s operations. When transferring personal information to third parties,
I Communicate the name or title of this ensure that they:
individual internally and externally (e.g. I Name a person to handle all privacy aspects of the contract.
on Web sites and in publications). I Limit use of the personal information to the purposes specified
I Analyze all personal information handling to fulfil the contract.
practices including ongoing activities and I Limit disclosure of the information to what is authorized by your
new initiatives, using the following check- organization or required by law.
list to ensure that they meet fair informa- I Refer any people looking for access to their personal informa-
tion practices: tion to your organization.
I What personal information do I Return or dispose of the transferred information upon
we collect?
I Why do we collect it? completion of the contract.
I
I Use appropriate security measures to protect the personal
How do we collect it?
I What do we use it for? information.
I Where do we keep it? I Allow your organization to audit the third party’s compliance
I How is it secured? with the contract as necessary.
I Who has access to or uses it?
I To whom is it disclosed?
I
I Include a privacy protection clause in
When is it disposed of?
I Develop and implement policies and pro- contracts to guarantee that the third
cedures to protect personal information: party provides the same level of protec-
I define the purposes of its collection tion as your organization does.
I
I Inform and train staff on privacy policies
obtain consent
I limit its collection, use and disclosure and procedures.
I ensure information is correct, complete I Make information available explaining
and current these policies and procedures to
I ensure adequate security measures customers (e.g. in brochures and on
I develop or update a retention and Web sites).
destruction timetable
I process access requests 7
I respond to inquiries and complaints
13. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
2. Identify the purpose
Your organization must identify the reasons How to fulfil these responsibilities
for collecting personal information before or I Review your personal information hold-
at the time of collection. ings to ensure they are all required for a
Your responsibilities specific purpose.
I
I Before or when any personal information Notify the individual, either orally or in
is collected, identify why it is needed and writing, of these purposes.
how it will be used. I Record all identified purposes and
I Document why the information is obtained consents for easy reference in
collected. case an individual requests an account
of such information.
I Inform the individual from whom the
I Ensure that these purposes are limited to
information is collected why it is needed.
what a reasonable person would expect
I Identify any new purpose for the informa-
under the circumstances.
tion and obtain the individual’s consent
before using it.
G R A N D F AT H E R I N G
TIPS Personal information that your company
has collected during the course of its
I Define your purposes for collecting data as clearly and narrowly
commercial activities is subject to the Act.
as possible so the individual can understand how the informa-
Since it has already been collected, you
tion will be used or disclosed.
don’t need to recollect it. However, in
I Avoid overly broad purposes as they may conflict with the order to continue to use or disclose this
knowledge and consent principle. information, you now require consent.
I Examples of purposes include: Some organizations have informed all
I opening an account their customers what they do with their
I verifying creditworthiness information, to whom it is disclosed and
I providing benefits to employees given customers the option to object to
I processing a magazine subscription these ongoing uses or disclosures.
I sending out association membership information
I guaranteeing a travel reservation See relevant best practices and fact
I identifying customer preferences sheets on this and other issues on our
I establishing customer eligibility for special offers Web site.
or discounts.
8
14. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T
3. Obtain consent
Your responsibilities
I Inform the individual in a meaningful way TIPS
of the purposes for the collection, use or I Consent is normally obtained from the individual whose
disclosure of personal data. personal information is collected, used or disclosed.
I Obtain the individual’s consent before or I For an individual who is a minor, seriously ill, or mentally
at the time of collection, as well as when a incapacitated, consent may be obtained from a legal guardian,
new use is identified. or person having power of attorney.
I Consent is only meaningful if the individuals understand how
How to fulfil these responsibilities*
their information will be used.
I Obtain consent from the individual
I Consent clauses should:
whose personal information is collected, I be easy to find
used or disclosed. I use clear and straightforward language
I Communicate in a manner that is clear I not use blanket categories for purposes, uses
and can be reasonably understood. and disclosures
I Record the consent received (e.g. note to I be specific as possible about which organizations
file, copy of e-mail, copy of check-off box). handle the information.
I Never obtain consent by deceptive I Consent can be obtained in person, by phone, by mail, via
means. the Internet etc.
I I The form of consent should take into consideration:
Do not make consent a condition for
I reasonable expectations of the individual
supplying a product or a service, unless
I circumstances surrounding the collection
the information requested is required
I sensitivity of the information involved.
to fulfil an explicitly specified and
legitimate purpose. I Express consent should be used whenever possible and in all
I Explain to individuals the implications cases when the personal information is considered sensitive.
of withdrawing their consent. Relying on express consent protects both the individual and
the organization.
I Ensure that employees collecting
personal information are able to answer
an individual’s questions about the
purposes of the collection.
* Note:There are some exceptions to the principle of obtaining
consent. See page 17 of this guide for more information.
9
15. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
4. Limit collection
Your responsibilities How to fulfil these responsibilities
I Do not collect personal information I Limit the amount and type of the infor-
indiscriminately. mation gathered to what is necessary
I Do not deceive or mislead individuals for the identified purposes.
about the reasons for collecting personal I Identify the kind of personal information
information. you collect in your information-handling
policies and practices.
I Ensure that staff members can explain
TIPS why the information is needed.
I By reducing the amount of information gathered, you can
lower the cost of collecting, storing, retaining and ultimately
archiving data.
I Collecting less information also reduces the risk of inappropriate
uses and disclosures.
10
16. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T
5. Limit use,disclosure and retention
Your responsibilities
I Use or disclose personal information only TIPS
for the purpose for which it was collected,
I It may be less onerous and complicated to destroy or erase
unless the individual consents, or the use
or disclosure is authorized by the Act. information than to make personal information anonymous.
I Conduct regular reviews to help determine whether information
I Keep personal information only as long as
is still required. Establish a retention schedule to make
necessary to satisfy the purposes.
this easier.
I Put guidelines and procedures in place
for retaining and destroying personal
information.
How to fulfil these responsibilities
I Keep personal information used to make
I Document any new purpose for the use
a decision about a person for a reason-
able time period. This should allow the of personal information.
person to obtain the information after the I Institute maximum and minimum reten-
decision and pursue redress. tion periods that take into account any
I Destroy, erase or render anonymous infor- legal requirements or restrictions and
mation that is no longer required for an redress mechanisms.
identified purpose or a legal requirement. I Dispose of information that does not
have a specific purpose or that no longer
fulfils its intended purpose.
I Dispose of personal information in a way
that prevents improper access. Shredding
paper files or deleting electronic records
are ideal.
I Establish policies setting out the types of
information that need to be updated. An
organization can reasonably expect an
individual to provide updated informa-
tion in certain circumstances (e.g. change
of address for a magazine subscription).
11
17. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
6. Be accurate
Your responsibilities How to fulfil these responsibilities
I Minimize the possibility of using incorrect I Keep personal information as accurate,
information when making a decision complete and up to date as necessary,
about the individual or when disclosing taking into account its use and the inter-
information to third parties. ests of the individual.
I Update personal information only when
necessary to fulfil the specified purposes.
TIPS I Keep frequently used information accu-
rate and up to date unless there are
I One way to determine if information needs to be updated is to
clearly set out limits to this requirement.
ask whether the use or disclosure of out of date or incomplete
information would harm the individual.
I Apply the following checklist for accuracy:
I List specific items of personal information required to provide
a service.
I List the location where all related personal information can
be retrieved.
I Record the date when the personal information was obtained
or updated.
I Record the steps taken to verify accuracy, completeness and
timeliness of the information. This may require reviewing your
records or communicating with the client.
12
18. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T
7. Use appropriate safeguards
Your responsibilities I Make your employees aware of the
I Protect personal information against loss importance of maintaining the security
or theft. and confidentiality of personal
information.
I Safeguard the information from unautho-
I Ensure staff awareness by holding regular
rized access, disclosure, copying, use or
modification. staff training on security safeguards.
I
I Protect personal information regardless The following factors should be considered
of the format in which it is held. in selecting appropriate safeguards:
I sensitivity of the information
How to fulfil these responsibilities I amount of information
I
I extent of distribution
Develop and implement a security policy
I format of the information (electronic,
to protect personal information.
I
paper, etc.)
Use appropriate security safeguards
I type of storage.
to provide necessary protection:
I physical measures (locked filing I Review and update security measures
cabinets, restricting access to offices, regularly.
alarm systems)
I technological tools (passwords,
encryption, firewalls) TIPS
I organizational controls (security
I Make sure personal information that has no relevance to the
clearances, limiting access on a
“need-to-know”basis, staff training, transaction is either removed or blocked out when providing
agreements). copies of information to others.
I Keep sensitive information files in a secure area or computer
system and limit access to individuals on a“need-to-know”
basis only.
13
19. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
8. Be open
Your responsibilities How to fulfil these responsibilities
I Inform customers, clients and employees I Ensure front-line staff is familiar with the
that you have policies and practices procedures for responding to individual
for the management of personal inquiries.
information. I Make the following available:
I Make these policies and practices under- Iname or title and address of the person
standable and easily available. who is accountable for your organiza-
tion’s privacy policies and practices
Iname or title and address of the person
to whom access requests should be sent
Ihow an individual can gain access to his
TIPS
or her personal information
I Information about these policies and practices should be made Ihow an individual can complain to your
available in person, in writing, by telephone, in publications or organization
on your organization’s Web site. The information presented Ibrochures or other information that
should be consistent, regardless of the format. explain your organization’s policies,
standards or codes
Ia description of what personal informa-
tion is made available to other organiza-
tions (including subsidiaries) and why it
is disclosed.
14
20. YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T
9. Give individuals access
Your responsibilities I If your organization extends the time,
I When requested, inform individuals if you must notify the individual making
you have any personal information the request within 30 days of receiving
about them. the request, and of his or her right to
complain to the Privacy Commissioner
I Explain how it is or has been used and
of Canada.
provide a list of any organizations to
I Give access at minimal or no cost to
which it has been disclosed.
the individual.
I Give individuals access to their
I Notify the individual of the approximate
information.
costs before processing the request and
I Correct or amend any personal informa-
confirm that the individual still wants to
tion if its accuracy and completeness is
proceed with the request.
challenged and found to be deficient.
I Give individuals access to their personal
I An organization should note any
information.
disagreement on the file and advise
I Make sure the requested information
third parties where appropriate.
is understandable. Explain acronyms,
How to fulfil these responsibilities abbreviations and codes.
I Provide any help the individual needs to I Send any information that has been
prepare a request for access to personal amended, where appropriate, to any
information. third parties that have access to the
I Your organization may ask the individual information.
to supply enough information to enable I Inform the individual in writing when
you to account for the existence, use and refusing to give access, setting out the
disclosure of personal information. reasons and any recourse available.
I Respond to the request as quickly as I There are some exceptions to the princi-
possible and no later than 30 days after ple of providing access (see page 18 of
receipt of the request. this guide).
I The normal 30-day response time limit
may be extended for a maximum of 30
additional days, according to specific cri-
teria set out at Subsection 8(4) of the Act:
I if responding to the request within
the original 30 days would unreason- TIPS
ably interfere with activities of your
I Keep a record of where the information can be found to make
organization
I if additional time is necessary to retrieval easier.
I Never disclose personal information unless you are sure of the
conduct consultations
I if additional time is necessary to identity of the requestor and that person’s right of access.
I Record the date of receipt of the request for the information.
convert personal information to an
I Ensure that staff know how to identify an access request and to
alternate format.
whom it should be referred within the organization.
15
21. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
10. Provide recourse
Your responsibilities How to fulfil these responsibilities
I Develop simple and easily accessible I Record the date a complaint is received
complaint procedures. and the nature of the complaint (e.g.
I Inform complainants of their avenues of delays in responding to a request, in-
recourse. These include your organiza- complete or inaccurate responses, or
tion’s own complaint procedures, those of improper collection, use, disclosure or
industry associations, regulatory bodies retention).
and the Office of the Privacy I Acknowledge receipt of the complaint
Commissioner of Canada. promptly.
I Investigate all complaints received. I Contact the individual to clarify the
I Take appropriate measures to correct complaint, if necessary.
information handling practices and I Assign the matter to a person with the
policies. skills necessary to review it fairly and
impartially and provide that individual
with access to all relevant records,
employees or others who handled the
TIPS personal information or access request.
I Ensure that staff is aware of policies and procedures for com- I Notify individuals of the outcome of
plaints, and to whom these complaints should be referred investigations clearly and promptly,
within the organization. informing them of any relevant steps
I Record all decisions to ensure consistency in applying the Act. taken.
I Handling a complaint fairly and appropriately may help to pre- I Correct any inaccurate personal informa-
serve or restore the individual’s confidence in your organization. tion or modify policies and procedures
based on the outcome of complaint, and
ensure that staff in the organization are
aware of any changes to these policies
and procedures.
16
22. Exceptions to the Consent
and Access Principles
T
here are a number of exceptions to the requirements
to obtain consent and provide access set
out in the Act.
Exceptions to consent in Section 7
Organizations may collect personal informa- I if the use is clearly in the individual’s
tion without the individual’s knowledge or interest and consent is not available in a
consent only: timely way; or
I if it is clearly in the individual’s interests and I if knowledge and consent would
consent is not available in a timely way; compromise the availability or accuracy
I if knowledge and consent would compro- of the information and collection was
mise the availability or accuracy of the required to investigate a breach of an
information and collection is required to agreement or contravention of a federal
investigate a breach of an agreement or or provincial law.
contravention of a federal or provincial law; Organizations may disclose personal infor-
I for journalistic,artistic or literary purposes; mation without the individual’s knowledge
I if it is publicly available as specified in the or consent only:
regulations. I to a lawyer representing the organization;
I to collect a debt the individual owes to
Organizations may use personal information
without the individual’s knowledge or the organization;
consent only: I to comply with a subpoena, a warrant or
I if the organization has reasonable an order made by a court or other body
grounds to believe the information could with appropriate jurisdiction;
be useful when investigating a I to the Financial Transactions and Reports
contravention of a federal, provincial or Analysis Centre of Canada (FINTRAC) as
foreign required by the Proceeds of Crime (Money
law and the information is used for that Laundering) and Terrorist Financing Act;
investigation; I to a government institution that has
I for an emergency that threatens an requested the information, identified its
individual’s life, health or security; lawful authority to obtain the informa-
I for statistical or scholarly study or tion, and indicates that disclosure is for
research (the organization must notify the purpose of enforcing, carrying out an
the Privacy Commissioner of Canada investigation, or gathering intelligence
before using the information); relating to any federal, provincial or for-
I
eign law; or suspects that the information
if it is publicly available as specified in the
regulations;
17
23. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
relates to national security, the defence of I in an emergency threatening an individ-
Canada or the conduct of international ual’s life, health, or security (the organiza-
affairs; or is for the purpose of administer- tion must inform the individual of the
ing any federal or provincial law; disclosure);
I to an investigative body named in the I for statistical, scholarly study or research
Regulations of the Act or government (the organization must notify the Privacy
institution on the organization’s initiative Commissioner before disclosing the
when the organization has reasonable information);
grounds to believe that the information I to an archival institution;
concerns a breach of an agreement, or a I 20 years after the individual’s death or
contravention of a federal, provincial, or
100 years after the record was created;
foreign law, or suspects the information
I if it is publicly available as specified in the
relates to national security, the defence of
Canada or the conduct of international regulations; or
affairs; I if required by law.
I if made by an investigative body for the
purposes related to the investigation of a
breach of an agreement or a contraven-
tion of a federal or provincial law;
Exceptions to access in Section 9
Organizations must refuse an individual Organizations may refuse access to personal
access to personal information: information if the information falls under
I if it would reveal personal information one of the following:
about another individual* unless there is I solicitor-client privilege
consent or a life-threatening situation; or I confidential commercial information*
I if the organization has disclosed informa- I disclosure could harm an individual’s life
tion to a government institution for law or security*
enforcement or national security reasons. I it was collected without the individual’s
Upon request, the government institution
knowledge or consent to ensure its
may instruct the organization to refuse
availability and accuracy, and the collec-
access or not to reveal that the informa-
tion was required to investigate a breach
tion has been released. The organization
of an agreement or contravention of a
must refuse the request and notify the
federal or provincial law (the Privacy
Privacy Commissioner of Canada. The
Commissioner of Canada must be notified)
organization cannot inform the individual
I it was generated in the course of a formal
of the disclosure to the government
institution, or that the institution was dispute resolution process
notified of the request, or that the
Commissioner was notified of the refusal.
* If this information can be removed, the organization must
release the remaining information.
18
24. Role of the Privacy Commissioner
of Canada
T
he Privacy Commissioner of Canada A privacy ombudsman
has oversight of both the Privacy Act
and Part 1 of PIPEDA. These acts pro- More than two decades of experience
tect personal information according to inter- investigating complaints under the
nationally accepted fair information Privacy Act have helped define the Privacy
principles and practices. Commissioner’s ombudsman role. The
The Commissioner is an Officer of Privacy Commissioner relies on the compe-
Parliament, like the Auditor General of tence, knowledge and impartiality of her
Canada or the Chief Electoral Officer. As an staff to seek whenever possible to resolve
Officer of Parliament, the Commissioner disputes through investigation, persuasion,
reports directly to the House of Commons mediation and conciliation. Ideally this
and to the Senate, not to the government of approach to resolving disputes can be less
the day. This independence ensures impar- intimidating to complainants and less costly
tiality and open-mindedness in exercising to business than recourse to the courts.
her role as an ombudsman for privacy mat- While the Commissioner protects individual
ters. The Commissioner makes recommen- rights, she is also an advocate for the fair
dations, not orders. However there is information principles that form the founda-
provision to apply to the Federal Court to tion of the legislation. The Commissioner’s
review a case. thorough investigations and impartiality
In addition to the Privacy Commissioner, protect both individual rights and the organ-
the Office has an Assistant Privacy ization against unfair accusations.
Commissioner responsible for the Privacy Act
and another Assistant Privacy Commissioner Specific responsibilities
responsible for PIPEDA.
under the Act
The Act makes the Commissioner responsi-
ble for ensuring compliance with the Act
and for promoting its purposes.
19
25. Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
Promoting the purposes The Commissioner may make public
any information about an organization’s
of the Act personal information handling practices, if
The Commissioner promotes the purposes she considers it in the public interest to do
of the Act through public education and so. She reports annually to Parliament on
awareness initiatives, research, reporting, privacy issues including the extent to
and consultation and agreements. which provinces have substantially similar
The Commissioner’s mandate includes legislation.
developing and conducting public educa- The Commissioner may enter into agree-
tion and awareness programs to encourage ments with provincial counterparts who,
and promote understanding of privacy under substantially similar legislation, have
issues. similar powers and duties. These consulta-
PIPEDA also requires the Commissioner to tions and agreements may cover complaint
undertake and publish research about pro- mechanisms, research and developing
tecting personal information so as to model contracts for protecting personal
increase knowledge and improve compli- information in interprovincial or interna-
ance with the Act’s fair information princi- tional matters. The Commissioner will
ples. The Commissioner may conduct encourage organizations to develop
independent research on privacy issues in detailed policies and practices to comply
conjunction with academic or other with Part 1 of the Act.
researchers. She may also provide grants
and contributions for academic or other
research on privacy issues.
20
26. Complaints to the
Privacy Commissioner
of Canada
Types of complaints ing to the request (see page 15 of this guide
for more on the time limit to respond to a
A
n individual may complain to the request). However, the Commissioner
Commissioner about any matter may extend the time limit for an access
specified in Sections 5 to10 of the complaint.
Act or in the recommendations or obligations The Commissioner has one year from the
set out in Schedule 1. This includes but is date of the complaint to prepare a report.
not limited to allegations that an organiza-
tion:
I denies an individual access to personal
How does the Privacy
information; Commissioner of Canada
I improperly collects, uses or discloses per- handle complaints?
sonal information; As an ombudsman, the Commissioner
I refuses to correct inaccurate or incom- seeks to take a cooperative and conciliatory
plete information; approach to investigations whenever possi-
I fails to provide access to personal infor- ble. She encourages the resolution of com-
mation in an alternative format to an plaints through negotiation and persuasion.
individual with a sensory disability; or Alternate dispute resolution methods such
I
as mediation and conciliation may be used
does not use appropriate safeguards to
to settle matters at any stage of the investi-
protect personal information.
gation process. Although the Commissioner
The Commissioner may initiate a complaint
has the power to summon witnesses, admin-
if there are reasonable grounds to believe
ister oaths and compel the production of
that an investigation of a matter under Part 1
evidence, these means are only likely to
of the Act is warranted.
be used if voluntary cooperation is not
forthcoming.
Time limits At the outset of an investigation, the
Commissioner will notify the organization in
There is no time limit for filing most types
writing of the substance of the complaint
of complaints.
and will identify the investigator responsible
The only exception is a complaint that
for the case. The organization may submit
access to personal information has been
representations to the Commissioner at any
denied. In this case, the complaint must be
time during the process.
made within six months after the organiza-
The investigator will contact the organi-
tion’s refusal to provide the information, or
zation’s designated staff member to indicate
after the expiry of the time limit for respond-
how he or she intends to proceed with the
21