IX. Privacy Law

Canada has enacted comprehensive federal privacy legislation with application to the private sector. In addition, certain provinces have enacted both comprehensive and sector-specific private-sector privacy legislation.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies generally to all collection, use or disclosure of personal information by organizations in the course of a commercial activity. “Personal information” is broadly defined in PIPEDA, and includes any “information about an identifiable individual”, whether public or private, with limited exceptions.

1. Accountability: Organizations must appoint an individual (or individuals) to be responsible for the organization’s compliance and to develop and implement personal information policies and procedures. Organizations are accountable for personal information transferred to third party service providers (including affiliated companies) for processing on their behalf, and must use contractual or other means to protect personal information while being handled by those third parties.

2. Identifying Purposes: Organizations must identify the purposes for collecting personal information before or at the time of collection.

3. Consent: Knowledge and consent of the individual are required for collection, use and disclosure of personal information, with limited statutory exceptions. Consent cannot be made a condition for supplying a product or service unless use of the personal information is required to fill an explicitly specified and “legitimate” purpose. Individuals may withdraw their consent at any time, subject to contractual or statutory limitations.

4. Limiting Collection: Organizations are required to limit collection to the amount and type of information necessary for the identified purposes. Information must be collected by “fair and lawful means”, and cannot be collected indiscriminately.

5. Limiting Use, Disclosure and Retention: Personal information may not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or pursuant to certain limited statutory exceptions. Personal information is to be retained only as long as necessary for the fulfilment of those purposes.

6. Accuracy: Personal information must be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

7. Safeguards: Organizations must use appropriate security safeguards to protect personal information against loss or theft, and unauthorized access, disclosure, copying, use or modification, and must train staff on security and information protection, among other matters.

8. Openness: Privacy policies and practices of the organization must be open, understandable and easily available.

9. Individual Access: Organizations must give individuals access to their personal information upon request, subject to certain statutory limits and, in appropriate circumstances, individuals must be given an opportunity to correct their information

10. Challenging Compliance: Organizations must have a simple and easily accessible complaint procedure.

In addition to the foregoing principles, compliance with PIPEDA is subject to an overriding reasonableness standard whereby organizations may only collect, use and disclose personal information for the purposes that a “reasonable person would consider are appropriate in the circumstances”. This reasonableness requirement applies even if the individual has consented to the collection, use or disclosure of their personal information.

Given the constitutional limits placed on federal legislation, PIPEDA applies only to the employment information of employees of federally regulated organizations such as banks, airlines and telecommunications companies. Provincial privacy legislation will, however, apply to employee information outside those sectors.

Quebec has had private-sector personal information privacy legislation, an Act respecting the protection of personal information in the private sector (Quebec Privacy Act), in force since 1994. The Quebec Privacy Act is similar in principle to PIPEDA, but there are important differences in detail. The Quebec Privacy Act applies to all private-sector organizations with respect to collection, use and disclosure of personal information (not just with respect to commercial activities) and to employee information. It also applies to private-sector collection, use and disclosure of personal health information. Alberta and British Columbia have also enacted comprehensive private-sector privacy legislation (in each case, the Personal Information Protection Act or PIPA) that applies generally, including to personal information of employees.

Alberta introduced amendments to the PIPA that came into force on May 1, 2011. The most significant additions are the provisions for data breach notifications. Organizations must notify Alberta’s Information and Privacy Commissioner, without delay, of a loss of or unauthorized access to or disclosure of personal information if a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss, access or disclosure. The Commissioner can direct the organization to notify individuals of the loss, access or disclosure. Organizations are also able to notify individuals on their own initiative.

In addition, the Alberta PIPA amendments require an organization that uses a service provider outside Canada to collect, use or disclose personal information to notify individuals as to how they can obtain information about the organization’s policies and practices with respect to the use of service providers outside Canada, including the name, position or title of a person who is able to answer questions on behalf of the organization. The organization is also required to include in its privacy policy or in a separate document, the countries outside Canada in which the collection, use or disclosure of personal information may occur and the purposes for which the service provider outside Canada has been authorized to collect, use or disclose personal information on behalf of the organization.

Alberta, Manitoba, Ontario and Saskatchewan also have legislation in place specifically governing the collection and use of personal health information.

PIPEDA permits the federal cabinet, by order, to exempt an organization or class of organizations or an activity or class of activities from its application if the collection, use or disclosure of personal information occurs within a province that has enacted legislation that is substantially similar. The Quebec Privacy Act and the PIPA legislation in Alberta and British Columbia have each been designated as substantially similar to PIPEDA. In addition, Ontario health information custodians (e.g., physicians, nurses, hospitals, etc.) have been exempted with respect to personal health information to which Ontario’s health information privacy statute applies. Nevertheless, given that many organizations operate in more than one province and inter-provincially, businesses are still required to deal with a “patchwork” of provincial and federal privacy legislation.

To date, the Alberta PIPA is the only private-sector privacy legislation that imposes a statutory obligation on private-sector organizations to disclose privacy-related data breaches. However, proposed amendments to PIPEDA, if enacted, would add a mandatory notification requirement to that statute. Federal and provincial privacy commissioners have also published guidelines that suggest disclosure and notification should be made in certain circumstances.

Considerable attention has been given in Canada to cross-border transfers and outsourcing of Canadian personal information to the U.S. Much of this attention has centred on the concern that U.S. authorities could use the USA PATRIOT Act to obtain the information of Canadians where that information is located in or accessible from the U.S. PIPEDA and the related provincial legislation do not prohibit the transfer of personal information outside Canada. However, PIPEDA’s “Openness” principle has been held by privacy regulators to require that notice of such transfers be provided to affected individuals. In addition, the Alberta PIPA now expressly requires that organizations notify individuals if they use a service provider outside Canada to collect personal information or transfer personal information to a service provider outside Canada. The Quebec Privacy Act requires organizations to consider the potential risks involved in transferring personal information outside Canada.

Somewhat different rules apply to personal information that is collected by federal, provincial or municipal public-sector organizations. This information is covered by federal and provincial legislation that limits the use and disclosure of such information to purposes related to a valid public purpose. While generally these public-sector privacy statutes apply only to public-sector organizations, under the laws of some provinces, hospitals and educational institutions are subject to the public-sector legislation. In British Columbia and Nova Scotia, there are restrictions on personal information collected by public-sector organizations, which cannot be stored in, or accessed from locations outside Canada unless the individual consents. These restrictions apply to service providers to public-sector organizations. As a result, private-sector organizations that provide services to government agencies or other public-sector organizations in British Columbia and Nova Scotia will be directly subject to restrictions on foreign storage of, and access to, personal information collected by public-sector organizations.

In addition, British Columbia and Nova Scotia impose penalties for disclosure of personal information pursuant to foreign legal requirements (e.g., court orders, USA PATRIOT Act disclosure notices). Organizations that perform contracted services for federal public bodies should also be aware of federal government contracting guidelines that address privacy risks of contracting with foreign-based or foreign-affiliated service providers.

Canada’s Anti-Spam Legislation is expected to be in force early in 2012. For details, see Section XI, “Information Technology”.

Back to Top