Private Sector Data Protection 1998

APPENDIX E

PRIVATE SECTOR DATA PROTECTION

FOREWORD

At its 1997 annual meeting, the Uniform Law Conference of Canada resolved:That a draft Uniform Data Protection Act and commentaries be prepared in accordance with the discussions for consideration of the 1998 Conference.In 1997-98, two drafts of Uniform Act were circulated to the working group and a meeting, organized by Industry Canada, was held in Ottawa on April 30 to discuss the second draft with various interested parties. The following draft was completed in June 1998 and therefore has not been reviewed to the working group.With respect to the Schedule of the Act, the CSA requires that the following credit statements will be displayed at the front of the material: "With the permission of the Canadian Standards Association, material is reproduced from the CSA Standard CAN/CSA-Q830-96 "Model Code for the Protection of Personal Information", which is copyrighted by CSA, 178 Rexdale Blvd., Etobicoke, Ontario, Canada M9W 1R3. While use of this material has been authorized, CSA shall not be responsible for the manner in which the information is presented, nor for any interpretations thereof."

Short Title

Short title 1. This Act may be cited as the Protection of Personal Information in the Private Sector Act.

Interpretation

Definitions

2. The definitions in this section apply in this Act.

"alternative format"

« support de substitution » "alternative format", with respect to personal information, means a format that allows a person with a sensory disability to read or listen to the personal information.

"Commissioner"

« commissaire » "Commissioner" means the Commissioner responsible for the protection of personal information appointed under ...

"organization"

« organisation » "organization" includes an association, a partnership, a person and a trade union. "personal information"
« renseignements personnels » "personal information" means information about an identifiable individual that is recorded in any form.

"record"

« document »

"record" includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things.

"Tribunal"

« Tribunal » "Tribunal" means the ... Tribunal established by section x of the ...Act or the ... Court.

Commentary:

"Commissioner": A new office of Commissioner does not need to be created if one exists under the public sector data protection legislation. This Commissioner could also be someone who exercises similar responsibilities in a related area, e.g. Human Rights Commissioner.

"Organization": The definition is very broad and is meant to cover both a natural persons, corporations and other forms of bodies likely to collect personal information.

"Personal Information": This expression is given the same definition as in the CSA Model Code for the Protection of Personal Information.

"Record": This word is given a very broad, technology-neutral, definition.

"Tribunal": This term is employed throughout the Act, but each jurisdiction has the choice of creating a new tribunal, giving new responsibilities to the mandate of an existing Tribunal or simply making use of the court system within its jurisdiction.

Application

Limit 3. This Act does not apply

(a) to organizations to which the ... Act applies; or

(b) in respect of personal information collected, used or disclosed by an individual in the course of a purely personal or household activity.

Commentary:

The Act would not apply to bodies already subject to the federal Privacy Act or any like Act of a province or territory. The exclusion for purely personal or household activity was taken from the EU Directive and should prevent the Act from having unintended consequences in purely personal everyday relationships.

PART 1
PROTECTION OF PERSONAL INFORMATION

Compliance with obligations

4. (1) Subject to sections 5 to 9, every organization shall comply with the obligations set out in the schedule. Should

(2) The word "should", when used in the schedule, indicates a recommendation and does not impose an obligation.

Commentary:

The Act incorporates the CSA Model Code for the Protection of Personal Information as a schedule of the Act. Some modifications have been made to the Code and are highlighted in the text (more modifications were required to the French version of the Code to make both versions the same and to improve the quality of the French version). Sections 5 to 9 consist of additions, precisions and modifications to the Code. For greater certainty, the Act states that the word "should" used extensively in the Code, does not impose an obligation.

Effect of designation of individual

5. The designation of an individual under clause 4.1 of the schedule does not relieve an organization of the obligation to comply with the obligations set out in the schedule.

Commentary:

For greater certainty, this makes organizations accountable for compliance with the schedule, not the individual they have designated under 4.1 of the schedule.Collection without knowledge or consent

6. (1) For the purpose of clause 4.3 of the schedule, and despite the note that accompanies that clause, an organization may collect personal information from a third party without the knowledge or consent of the individual only if collection of the information

(a) is clearly in the interests of the individual and consent cannot be obtained in a timely way;

(b) from the individual would compromise the accuracy of the information; or

(c) is for journalistic, artistic or literary purposes. Use without knowledge or consent

(2) For the purpose of clause 4.3 of the schedule, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only

(a) for the purpose of collecting a debt owed by the individual to the organization;

(b) if the organization comes to believe, in the course of its activities, that the information could be useful in the investigation of an offence under the laws of Canada or a province that has been committed or is about to be committed, and the information is used for the purpose of investigating that offence;

(c) for the purpose of acting in respect of an emergency that threatens the life, health or security of the individual or any other individual;

(d) for purposes for which its use by the organization is authorized under section 7; or

(e) for journalistic, artistic or literary purposes. Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of the schedule, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only

(a) if the disclosure is made, in the Province of Quebec, to an advocate or notary or, in any other province, to a barrister or solicitor who is representing the organization;

(b) for the purpose of collecting a debt owed by the individual to the organization;

(c) if the disclosure is required to comply with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(d) if the disclosure is made on the initiative of the organization to an investigative body and the information relates to an offence under the laws of Canada or a province that has been committed or is about to be committed;

(e) if the disclosure is made to a person who needs the information because of an emergency that threatens the life, health or security of the individual or any other individual;

(f) if the disclosure is made to a person who is authorized under section 7 to use the information;

(g) if the disclosure is made to an institution whose functions include the conservation of records of historic or archival importance and that is designated by order of the [Governor in Council], and the disclosure is made for the purpose of such conservation;

(h) if the disclosure is made after the earlier of

  • (i) one hundred and ten years after the record containing the information was created, and
  • (ii) twenty years after the death of the individual whom the information is about;

(i) for journalistic, artistic or literary purposes; or

(j) if the disclosure is required by law.

Use without consent

--(4) Despite clause 4.5 of the schedule, an organization may use personal information in any of the circumstances or for any of the purposes set out in subsection

(2). Disclosure without consent

(5) Despite clause 4.5 of the schedule, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances or for any of the purposes set out in paragraphs (3)(a) to (i).

Commentary:

This provision deals with exceptions to the rules governing the collection, use and disclosure of personal information, as set out in the schedule of the Act.


Study, research and statistics

7. (1) The Commissioner may, on the written application of a person who requires personal information for study, research or statistical purposes, authorize its disclosure to, and its use for those purposes by, the person if the Commissioner is of the opinion that

(a) the proposed use is serious and the purposes can only be achieved if the information is communicated in a form that would permit the identification of the individual whom the information is about; and

(b) the information will be used in a manner that will ensure its confidentiality. Time limit for authorization

(2) The Commissioner may authorize access to the information for the period and under any conditions that the Commissioner may determine and may revoke the authorization if the Commissioner has reason to believe that the authorized person is not using the information in a manner that will ensure its confidentiality or is not meeting any condition of the authorization.

Commentary:

The Commissioner is given the power to allow, in limited circumstances, the disclosure of personal information for research purposes.

Written request

8. (1) A request under clause 4.9 of the schedule must be made in writing.

Assistance

(2) An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization. Time limit

(3) An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Extension of time limit

(4) The time limit may be extended

(a) for a maximum of 30 days if

  • (i) meeting the time limit would unreasonably interfere with the activities of the organization, or
  • (ii) the time required to undertake consultations necessary to respond to the request would make the time limit almost impossible to meet; or

(b) for the period that is necessary in order to be able to convert the personal information into an alternative format. In either case, the organization shall, no later than 30 days after the date of the request, send a notice of extension to the individual, advising them of the new time limit and of their right to bring a complaint in that regard to the Commissioner.

Deemed refusal

(5) If the organization fails to respond within the time limit, the organization is deemed to have refused the request. Costs for responding

(6) An organization shall not respond to an individual's request at a cost to the individual unless

(a) the organization informs the individual of the approximate cost; and

(b) the individual advises the organization that the request is not being withdrawn.

Reasons

(7) An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and as any recourse under this Act that they may have. Retention of information when refusal

(8) An organization that has personal information that is the subject of a request that has been refused shall retain that information for as long as is necessary to allow the individual to exhaust any recourse under this Act that they may have.

Commentary:

This provision complements the schedule by providing some firm timelimits to respond to requests for personal information, establishing conditions to charge a fee and requiring that reasons for refusals be given.

When access prohibited

9. (1) Despite clause 4.9 of the schedule, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party, unless the third party consents to the access or the individual's life, health or security is threatened.

When access may be refused

(2) Despite the note that accompanies clause 4.9 of the schedule, an organization is not required to give access to personal information only if

(a) the information is protected by solicitor-client privilege;

(b) to do so would likely reveal commercial secrets;

(c) to do so would involve prohibitive costs; or

(d) the information was collected, used or disclosed or is being or is to be used for journalistic, artistic or literary purposes. However, the organization shall give access to the information if the life, health or security of the individual is threatened.

Commentary:

This provision complements the schedule by establishing a closed list of exemptions to the right of access.

Sensory disability

10. An organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and requests that it be transmitted in the alternative format if

(a) a version of the information already exists in that format; or

(b) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Act.

Commentary:

A special regime allows individuals with hearing and reading disabilities to obtain their personal information in a format that is more useful for them.

PART 2 - REMEDIES

Filing of Complaints

Contravention

11. (1) An individual may file a written complaint against an organization with the Commissioner if the individual has reason to believe that the organization has contravened a provision of this Act relating to the individual's personal information.

Assistance

(2) The Commissioner shall assist any individual who informs the Commissioner that they need assistance in preparing a complaint. Commissioner may initiate complaint

(3) If the Commissioner is satisfied that there are reasonable grounds to investigate a matter under this Act, the Commissioner may initiate a complaint in respect of the matter.

Time limit

(4) A complaint that results from the refusal to grant a request under section 8 must be filed within six months, or any longer period that the Commissioner allows, after the refusal or after the expiry of the time limit for responding to the request, as the case may be.

Notice

(5) The Commissioner shall give notice of a complaint to all persons who are affected by it, unless it is deemed abandoned under section 12.

Commentary:

The Commissioner receives complaints from individuals who believe that the Act has been violated and may initiate his own complaints when there are reasonable grounds to do so.

Exhausting grievance or review procedures

12. A complaint is deemed abandoned, and the Commissioner shall so advise the complainant, if the Commissioner is satisfied that

(a) the complainant ought first to exhaust grievance or review procedures otherwise reasonably available; or

(b) the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under any other legislation.

Commentary:

This provision allows the Commissioner not to investigate a complaint, if the Commissioner believes that the complainant has not exhausted all other reasonable recourses or if the complaint could be more appropriately dealt with under another act (for instance, some complaints involving inappropriate collection, use or disclosure of personal information may allege unlawful discrimination on the part of the organization).Investigations of Complaints Powers of Commissioner

13. (1) The Commissioner may conduct an investigation in respect of a complaint and, for that purpose, may

(a) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary to investigate the complaint, in the same manner and to the same extent as a superior court of record;

(b) administer oaths;

(c) receive and accept any evidence and other information, whether on oath or by affidavit or otherwise, that the Commissioner sees fit, whether or not the it is or would be admissible in a court of law;

(d) if an organization consents, at any reasonable time enter any premises occupied by the organization on satisfying its security requirements relating to the premises;

(e) converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and

(f) examine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contain any matter relevant to the investigation.

Delegation

(2) The Commissioner may delegate any of the powers set out in subsection (1).

Return of records, etc.

(3) The Commissioner or the delegate shall return to a person or an organization any record or thing they produced under this section within ten days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.

Commentary:

The Commissioner's power are modelled after the powers of the Privacy Commissioner of Canada under the Privacy Act. Because organizations being investigated are in the private sector, however, the Commissioner's power to enter premises has been made subject to the consent of the organization.

Conciliation Appointment of conciliator

14. (1) The Commissioner may appoint a person, in this Part referred to as a "conciliator", for the purpose of attempting to bring about a settlement of the complaint.

Eligibility

(2) The Commissioner may not appoint, in respect of a complaint, any person to whom the Commissioner delegated powers under subsection 13(2) in respect of the complaint.

Confidentiality

(3) Subject to subsection (4), any information received by a conciliator is confidential and may not be disclosed except with the consent of the person who provided it.

Report

(4) A conciliator shall submit a report to the Commissioner as soon as possible after the complaint is settled or the conciliator determines that the complaint is not likely to be settled. If the complaint is settled, the conciliator shall attach a copy of the settlement to the report.

Not competent witness

(5) A conciliator appointed to settle a complaint is not a competent witness at a hearing of the Tribunal in respect of the complaint.

Commentary:

A formal conciliation process, distinct from the Commissioner's investigation is established. The Commissioner has discretion to appoint the conciliator when he believes that it may help in resolving a complaint. The separation between the conciliation and the investigation is necessary to ensure that both parties trust the conciliator not to take sides. For the same reason, the confidentiality of the conciliation process is also required.

Commissioner's report

15. (1) Unless the Commissioner is satisfied that a complaint is frivolous or vexatious, the Commissioner shall prepare a report that contains

(a) the Commissioner's findings or recommendations;

(b) any settlement that was reached by the parties;

(c) if appropriate, a request that the organization give the Commissioner, within a specified time, notice of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken; and

(d) the recourse that is available under section 16.

Reception of conciliator's report

(2) If the Commissioner appointed a conciliator, the Commissioner shall prepare the report after receiving the conciliator's report.

Report to parties

(3) The Commissioner's report shall be sent to the complainant and to the organization without delay.

Commentary:

The Commissioner has been given non-binding powers. If he satisfied that a complaint is frivolous or vexatious, however, he does not have to take make a report, but may simply dismiss the complaint.

Hearing by Tribunal

Application

16. (1) Any individual who has made a complaint to the Commissioner may apply to the Tribunal for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner's report, and that is referred to in clause 4.1.3, 4.2, 4.3, 4.3.3, 4.4, 4.5, 4.6, 4.7, 4.8 or 4.9 of the schedule.

Time of application

(2) The application must be made within forty-five days after the report is sent or within any further time that the Tribunal may, either before or after the expiry of those forty-five days, allow.

Commentary:

If the Commissioner's report has failed to resolve a complaint to the complainant's satisfaction, the complainant can ask the tribunal to review the complaint de novo. The matters that may be brought to the Tribunal, however, are limited to the violation of eight of the ten principles (identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness and individual access) and the Code's provision on the transfer of personal information to third parties.

Commissioner may apply or appear

17. The Commissioner may

(a) apply to the Tribunal, within the time limited by section 16, for a hearing in respect of any matter described in that section, if the Commissioner has the consent of the complainant;

(b) appear before the Tribunal on behalf of any individual who has applied for a hearing under section 16; or

(c) with leave of the Tribunal, appear as a party to any hearing applied for under section 16.

Commentary:

The Commissioner is given the power to bring a matter to the tribunal on the same grounds as the complainant can, with the complainant's consent or he may appear as party to a hearing.

Burden of proof

18. In the case of a complaint relating to a request for correction of personal information, the burden of establishing that a complaint is not founded is on the organization, unless the information in question was disclosed to the organization by the individual.

Commentary:

When an individual challenges the accuracy of information, the organization has the burden of proving that the information is correct, unless it was collected directly from the individual.

Remedies

19. (1) The Tribunal may, in addition to any other remedies it may give,

(a) order the organization to correct its practices in order to comply with sections 4 to 6 and 8 to 10;

(b) order the organization to publish a notice of any action taken (or proposed to be taken) to correct its practices, whether or not ordered to correct them under paragraph (a); and

(c) award damages to the complainant, including damages for any humiliation the complainant suffered.

Limitation

(2) The Tribunal may not award punitive damages in an amount greater than $20,000.

Commentary:

The Tribunal has the power to issue corrective orders, to award damages, including punitive damages up to $ 20 000, and to order the publication of notices of corrective action taken by the organization.


PART 3 - AUDITS

To ensure compliance

20. (1) The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization, and for that purpose may

(a) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary for the audit, in the same manner and to the same extent as a superior court of record;

(b) administer oaths;

(c) receive and accept any evidence and other information, whether on oath or by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;

(d) if an organization consents, at any reasonable time enter any premises occupied by the organization on satisfying its security requirements relating to the premises;

(e) converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and

(f) examine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contains any matter relevant to the audit.

Delegation

(2) The Commissioner may delegate any of the powers set out in subsection (1).

Return of records, etc.

(3) The Commissioner or the delegate shall return to a person or an organization any record or thing they produced under this section within ten days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.

Commentary:

To help ensure compliance with the law, even when no complaint has been made and there are no reasonable grounds for the Commissioner to initiate one, the Commissioner may perform an audit of the an organization's practices with respect to the management of personal information. The powers given to the Commissioner to conduct such audits are similar to the powers he has to investigate complaints.

Report of findings and recommendations

21. (1) After an audit, the Commissioner shall provide the audited organization with a report that contains the findings of the audit and any recommendations that the Commissioner considers appropriate. Reports may be included in annual reports

(2) The report may be included in a report made under section 24.

Commentary:

The audit is followed by a report containing the findings and recommendations of the Commissioner which in and of themselves should persuade the organizations to adopt new measures to comply with the legislation. While the audit itself does not result in any corrective order being issued by the Commissioner or the Tribunal, the audit may give the Commissioner reasonable grounds to initiate a complaint, which may eventually lead to a hearing before the Tribunal.


PART 4
- GENERAL

Confidentiality

22. (1) Subject to subsection (2), the Commissioner and the Commissioner's delegates shall not disclose any information that comes to their knowledge in the performance of the Commissioner's powers under this Act.

Disclosure authorized

(2) The Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose,

(a) information that, in the opinion of the Commissioner, is necessary to

  • (i) conduct an investigation or audit under this Act, or
  • (ii) establish the grounds for findings and recommendations contained in any report under this Act; or

(b) information in the course of a prosecution for an offence under section 25, a prosecution for an offence under section 132 of the Criminal Code (perjury) in respect of a statement made under this Act, a hearing before the Tribunal under this Act or an appeal from a decision of the Tribunal.

Disclosure of offence authorized

(3) The Commissioner may disclose to the Attorney General of [...] information relating to the commission of an offence against any law of Canada or a province on the part of an officer or employee of an organization if, in the opinion of the Commissioner, there is evidence of an offence.

Commentary:

Information obtained by the Commissioner or investigators working on behalf of the Commissioner during the investigation of a complaint or the conduct of an audit is confidential, subject to some limited exceptions relating to the exercise of the Commissioner's mandate and prosecutions for perjury.

Promoting the purposes of the Act

23. The Commissioner may

(a) develop and conduct information programs to foster public understanding of this Act and to foster public recognition of the purposes of this Act;

(b) undertake and publish research related to the purposes of this Act;

(c) encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with sections 4 to 6 and 8 to 10; and

(d) promote, by any means the Commissioner considers appropriate, the purposes of this Act.

Commentary:

The Commissioner is given broad powers to promote the act, conduct research and encourage the development of codes of practices.

Annual report

24. The Commissioner shall, within three months after the end of each calendar year, submit to the ... Minister a report concerning the application of this Act. The Minister shall cause each report to be laid before [Parliament/the Legislature] on any of the first fifteen days on which it is sitting after the Minister receives it. Offence and punishment

25. Every person who obstructs the Commissioner or the Commissioner's delegate in the investigation of a complaint or in conducting an audit commits an offence and is liable on summary conviction to a fine of not more than $10,000.

Commentary:

This is the only infraction created under the Act.

Permanent review of Act by parliamentary committee

26. (1) The administration of this Act shall, every five years after it comes into force, be reviewed by the committee of [Parliament/the Legislature] that may be designated or established by [Parliament/the Legislature] for that purpose.

Review and report

(2) The committee designated or established by [Parliament/the Legislature] for the purpose of subsection (1) shall undertake a comprehensive review of the provisions and operation of this Act and shall, within a year after the review is undertaken or within any further time that [Parliament/the Legislature] may authorize, submit a report to [Parliament/the Legislature] that includes a statement of any changes to this Act or its administration that the committee would recommend.

Commentary:

This provision requires that a comprehensive review of the Act be undertaken five years after it comes in force and every five years thereafter.


PART 5
- COMING INTO FORCE

Coming into force

27. This Act or any of its provisions come into force on a day or days to be fixed by order of the ....

Next Annual Meeting

2017 Conference

Hotel Saskatchewan

Regina, SK

August 13 - 17, 2017
Creative Commons Licence
This work is licensed under a Creative Commons Attribution 2.5 Canada License
L'usage de cette œuvre est autorisé selon les dispositions de la Licence Creative Commons Attribution 2.5 Canada