Canada: Data Protection 2008/09

Regulation

1. What national law(s) apply to the collection and use of personal data? If applicable, has Directive 95/46/EC on data protection (Data Protection Directive) been implemented?

Personal information protection is governed by:

• Federal law.
  
  
• Laws of the ten provinces and three territories.
  
  
• Industry practice.
  
  

Privacy laws protect:

• Personal information in the public sector.
  
  
• Personal information in the private sector (generally, such laws apply to either sector specific activities or information or to personal information that is collected, used or disclosed in the course of commercial activities and, in some circumstances, in the course of employment).
  
  
• Health information.
  
  

This chapter considers only generally-applicable legislation that regulates the commercial use of personal information in the private sector.

Specific legislation may also apply to a particular category of information or activity. Different activities and categories of information are regulated by different federal and provincial laws so that obligations can be complex, varied and sometimes overlapping, depending on the nature of the information and the location of the activities associated with it. This means that an organisation collecting, using or disclosing personal information in more than one jurisdiction may be required to comply with more than one law and should therefore analyse the nature of the information, and the nature and location of the activities relating to it, to be sure that it meets all applicable requirements.

At the federal level, personal information protection in the private sector is governed by the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA), which came fully into force on 1 January 2004. PIPEDA applies to all regulated activities, except to the extent that the federal government determines that a province has enacted substantially similar legislation. Provincial counterparts to PIPEDA which are currently in force for personal information in the private sector are the:

• Personal Health Information Protection Act, 2004, in Ontario (limited to health information).
  
  
• Personal Information Protection Act 2003, in Alberta.
  
  
• Personal Information Protection Act 2003, in British Columbia.
  
  
• Health Information Act 1999, in Alberta (different style of legislation limited to health information, not currently subject of a substantial similarity order. This Act is not discussed further in this chapter).
  
  
• Act Respecting the Protection of Personal Information in the Private Sector 1993 (as amended), in Québec.
  
  

Personal information is, at the federal level, the responsibility of the Office of the Privacy Commissioner of Canada, headed by the federal Privacy Commissioner. Some provincial equivalent authorities are:

• Office of the Information and Privacy Commissioner of Alberta.
  
  
• Office of the Information and Privacy Commissioner for British Columbia.
  
  
• Office of the Information and Privacy Commissioner/Ontario.
  
  
• Québec Access to Information Commission (Commission d'acces a l'information du Québec). (See box, The regulatory authorities.)
  
  

2. To whom do the rules apply (EU: data controller)?

At the federal level, the personal information protection rules apply to every organisation collecting, using or disclosing personal information in the course of commercial activities. At the provincial level, the federal law applies unless the province has enacted substantially similar legislation (namely, Alberta, British Columbia, Quebec and Ontario (limited to health information)). In Alberta, British Columbia and Quebec, the legislation applies to every organisation and all personal information, unless otherwise specified. Generally, an organisation includes:

• Corporations.
  
  
• Unincorporated associations.
  
  
• Partnerships.
  
  
• Individuals acting in a commercial capacity.
  
  
• Trade unions.
  
  

The privacy laws may also apply to employment relationships where an organisation collects, uses or discloses the personal information of its employees in one of the following circumstances:

• In connection with the operation of a federal work, undertaking or business.
  
  
• In the course of a commercial activity.
  
  
• In Alberta or British Columbia.
  
  

Obligations vary depending on the nature of the organisation and where its activities relating to the personal information of its employees occur.

Organisations may also be held accountable for personal information in their control and for the activities of third parties undertaken on the organisation's behalf (see Question 15).

As the language used in the different federal and provincial laws varies, an organisation should take care to ensure that all necessary obligations are met under each applicable law.

3. What data is regulated (EU: personal data)?

Private sector privacy laws apply to personal information. The definition of personal information varies between the applicable legislation:

• Federal. Personal information means information about an identifiable individual, but does not include the name, title, business address or telephone number of an employee of an organisation (PIPEDA).
  
  
• Alberta and British Columbia. Personal information means information about an identifiable individual and excludes business contact information (such as an individual's name, title, business telephone number, address, e-mail address or fax number) where it is used for contacting the individual in their capacity as an employee or official of an organisation (Personal Information Protection Acts).
  
  
• Québec. Personal information includes any information that relates to a natural person and allows that person to be identified (Act Respecting the Protection of Personal Information in the Private Sector).
  
  
• Ontario. Personal health information includes identifying information about an individual that relates to the physical or mental health of the individual or the provision of healthcare to the individual. It includes identifying information contained in a record containing such information (Personal Health Information Protection Act).
  
  

Although these definitions are very broad, each law only applies to certain categories of activities relating to personal information. Other activities may be regulated by separate legislation (for example, health information or personal information in the public sector) or not regulated at all (for example, certain non-commercial, personal or domestic activities).

4. What acts are regulated (EU: processing)?

Generally, the following activities relating to personal information are regulated:

• Collection.
  
  
• Use.
  
  
• Disclosure (including transfer, lease or sale).
  
  
• Retention.
  
  
• Storage.
  
  
• Safeguarding.
  
  
• Destruction.
  
  

An individual has the right (subject to specific exceptions) to:

• Know what personal information is being collected.
  
  
• Know the purpose for which personal information is collected.
  
  
• Consent to the collection, use or disclosure of personal information.
  
  
• Access, and request the correction of, personal information held by an organisation.
  
  

5. What is the jurisdictional scope of the rules?

PIPEDA applies to regulated activities that occur within Canada or between Canada and another jurisdiction.

Where an activity occurs in a province that has enacted private sector privacy legislation, that activity may be governed by both PIPEDA and by provincial law, or just the provincial law if the activity occurs only in the province.

6. What are the main exemptions (if any)?

Most federal and provincial private sector privacy legislation exclude categories of, and certain activities relating to, personal information that:

• Is used in relation to an emergency that threatens an individual's life, health or security.
  
  
• Is publicly available (this is narrowly defined by the legislation and is not the same as being in the public domain).
  
  
• Is collected solely for journalistic, artistic or literary purposes.
  
  
• Is disclosed to a barrister or solicitor representing an organisation.
  
  
• Is used for debt collection.
  
  
• Must be disclosed to comply with a subpoena, warrant or court order, or court rules relating to the production of records.
  
  
• Must be disclosed to a provincial or federal government institution if it relates to national security or defence.
  
  
• Must be disclosed to a provincial or federal government institution if it relates to the conduct of international affairs, law enforcement or the administration of any law.
  
  
• Is required for a statistical or scholarly study, and it is impractical to obtain consent from the individuals concerned (or meet other specific requirements).
  
  
• Was recorded at least 100 years before disclosure.
  
  
• Is disclosed more than 20 years after the death of the relevant individual.
  
  
• Must be disclosed by law.
  
  

In addition, in Alberta and British Columbia, personal information can be transferred in the context of certain business transactions (such as the sale of shares in, or assets of, a business) without the need for consent from the individuals whose information is being transferred, provided the parties to the transaction have complied with the specific requirements of the applicable legislation. In British Columbia, this includes the provision of notice of such transfer. The definition of business transaction and the types of information that can be collected, used or disclosed in a business transaction varies between the jurisdictions.

7. I s notification or registration required before processing data? If so, please provide brief details.

There are no requirements to notify, or register with, a government body to collect, use or disclose personal information, except when using certain personal information for a statistical or scholarly study in Alberta or Québec (in which case, consent is required).

Consent and notification rights depend on the applicable legislation:

• Federal. Generally, an individual must consent to the collection, use or disclosure of personal information, for a specified purpose, by an organisation either before or at the time of collection.
  
  
• Alberta and British Columbia. Generally, an individual must consent to an organisation collecting, using or disclosing personal information for a specified purpose either before, or at the time of, collection. Where personal information is collected, used or disclosed for the purpose of establishing, managing or terminating an employment relationship, an employer may, in some circumstances, only be required to provide notice to its employees of the nature of the information and the purpose for which it is to be collected.
  
  

MAIN DATA PROTECTION RULES AND PRINCIPLES

8. What are the main obligations imposed on data controllers to ensure that data is processed properly?

An organisation can only collect, use or disclose personal information for a reasonable purpose and only to the extent that is necessary to meet that purpose. Once this threshold is met, an organisation must then ensure that it complies with all necessary obligations in relation to the information that it has collected. These are generally based on ten key privacy principles:

• Accountability. An organisation is responsible for the personal information in its custody or under its control and must designate an individual or individuals who are accountable for its compliance with the applicable legislation. Organisations are responsible for their agents and employees, including third parties to whom they entrust personal information or who collect, use or disclose personal information on their behalf.
  
  
• Identifying purposes. The purposes for which personal information is collected must be identified by the collecting organisation at or before the time the information is collected. Organisations can only collect personal information for reasonable purposes.
  
  
• Consent. Individuals must be notified of, and consent to, the collection, use or disclosure of their personal information, unless a statutory exemption applies.
  
  
• Limiting collection. The collection of personal information must be limited to that which is necessary for the purposes identified by the organisation, and information must be collected by fair and lawful means.
  
  
• Limiting use, disclosure and retention. Personal information cannot be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information can only be retained for as long as necessary to fulfil the purposes for which it was collected.
  
  
• Accuracy. Personal information must be kept as accurate, complete and up to date as is necessary for the purposes for which it is to be used.
  
  
• Safeguards. Personal information must be protected by safeguards appropriate to the sensitivity of the information.
  
  
• Openness. Certain specific information about the organisation's policies and practices relating to the management of personal information must be made readily available to individuals.
  
  
• Individual access. If they request, individuals have the right (subject to certain exemptions) to be informed of the existence, use and disclosure of, and be given access to, their personal information. Individuals can challenge the accuracy and completeness of their information and have it amended as appropriate.
  
  
• Challenging compliance. Individuals must be able to submit a complaint to the person(s) responsible for the organisation's compliance, challenging its adherence to the obligations.
  
  

The various privacy laws may contain exceptions to these requirements, impose additional specific obligations or present the key principles in such a way that their scope varies from that set out above

9. I s the consent of data subjects required before processing personal data? If so:

• What rules are there regarding the form and content of consent? Would online consent suffice?
  
  
• Are there any special rules regarding the giving of consent by minors?
  
  

Form and content of consent

Depending on the sensitivity of the personal information being collected, consent can be:

• Express. Consent can be given orally, electronically or in writing. It can also be given online but, as with any other form of consent, must meet the requirements of the applicable privacy legislation and, in some circumstances, the applicable electronic commerce legislation).
  
  

• Implied. Consent can reasonably be inferred from an individual's actions or inaction. For example, when an individual enters into an agreement with an organisation, it can be implied that he has consented to the collection, use and disclosure of his personal information for purposes related to the performance of that agreement and for any other purposes identified to him at the relevant time.
  
  
• Deemed. Consent can be deemed using an opt-out mechanism. The requirements for such mechanisms are either established in the privacy laws or the Commissioners' decisions and generally include:
  
  

• the personal information must be clearly non-sensitive in nature and context;
  
  
• the information-sharing situation must be limited and well-defined as to the nature of the personal information to be used or disclosed, and the extent of the intended use or disclosure;
  
  
• the organisation's purposes must be limited and welldefined, stated in a reasonably clear and understandable manner, and brought to the individual's attention at the time the personal information is collected;
  
  
• the organisation must establish a convenient procedure for easily, inexpensively and immediately opting out of, or withdrawing consent to, secondary purposes and must notify the individual of this procedure at the time the personal information is collected.
  
  

The consent requirements apply to information already in the custody or control of an organisation when the applicable legislation came into force (legacy information), as well as to all future collection activities. The various laws differ in their treatment of legacy information. Some provincial laws provide for consent to be deemed so that an organisation can continue using or disclosing legacy information for the purpose for which it was collected. This is not the case under PIPEDA.

Consent by minors

Consent rules depend on the applicable legislation:

• Federal. Consent from minors is not expressly prohibited in PIPEDA but, as consent from a guardian is described as an acceptable form of consent for information relating to minors, it is generally advisable to seek consent from a guardian rather than a minor.
  
  
• Alberta. Minors can give consent provided they understand the nature and consequences of doing so. Otherwise, consent must be obtained from the minor's guardian.
  
  
• British Columbia. Guardians can consent on behalf of a minor if the minor is incapable of exercising his right to consent.
  
  

10. I f there is no consent, on what other grounds (if any) can processing be justified?

There are several exemptions to the need for consent (see Question 6). In addition, in Alberta and British Columbia, certain personal information about employees that is collected, used or disclosed solely for the purposes of establishing, managing or terminating the employment relationship does not require consent provided that the required notices have been provided to the employees.

11. Do special rules apply in the case of certain types of personal data, for example sensitive data? If so, please provide brief details.

Generally, the more sensitive the personal information, the more onerous the requirements to show that:

• It is being collected, used or disclosed for a reasonable purpose, and only to the extent necessary to meet such purpose.
  
  
• The individual has consented to the collection, use or disclosure of their personal information (express consent is more likely to be required and deemed consent is less likely to be effective (see Question 9)).
  
  

Whether personal information is sensitive depends on individual circumstances (for example, the names and addresses of subscribers to periodicals are not normally considered sensitive personal information, except in the case of certain special-interest periodicals). Social insurance numbers and health and financial information are almost always considered sensitive personal information. In addition, information from which it is possible to determine an individual's beliefs and/or interests is often considered sensitive.

RIGHTS OF INDIVIDUALS

12. What information should be provided to data subjects at the point of collection of the personal data?

Before, or at the time that, personal information is collected, individuals must (unless otherwise provided by legislation) be made aware of the:

• Nature of the personal information being collected.
  
  
• Purposes for which their personal information is to be collected, used or disclosed.
  
  
• Name of a person who is able to answer, on behalf of the collecting organisation, the individual's questions about the collection.
  
  

For the consent to be valid, it must be given voluntarily and without reliance on deceptive or misleading collection practices. Consent to purposes beyond what is reasonably necessary to supply a product or service cannot be a precondition to the supply of that product or service.

In Québec, consent must be manifest, free and enlightened and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.

As consent given for one purpose is not valid for other purposes, organisations should anticipate their use and disclosure requirements in advance and develop their consent practices to ensure that all eventualities are covered.

13. What other specific rights (such as a right of access to personal data or the right to object to processing) are granted to data subjects?

Right of access

Generally, individuals have the right, subject to certain exceptions and restrictions, to:

• Be informed of the existence, use and disclosure of their personal information.
  
  
• Have access to their personal information.
  
  

Organisations can, if permitted or required by the applicable legislation, refuse to grant access to some or all personal information. When this is possible depends on the applicable law but, generally, organisations can refuse access if:

• The information contains references to other individuals that cannot reasonably be removed.
  
  
• The information is subject to a legal privilege.
  
  
• Disclosure of the information would reveal confidential commercial information that it is reasonable to withhold.
  
  
• The information was collected for an investigation or legal proceeding.
  
  
• The disclosure of the information might result in that type of information no longer being provided to the organisation when it is reasonable to expect that that type of information should be provided.
  
  
• The information was collected by a mediator or arbitrator, or created in the conduct of a mediation or arbitration, provided for by an agreement, enactment or court appointment.
  
  
• The information may be used in the exercise of prosecutorial discretion.
  
  
• The disclosure of the information can reasonably be expected to threaten the life or security of another individual.
  
  
• The information would reveal the identity of an individual who has provided an opinion about another individual in confidence and who has not consented to the disclosure of their identity.
  
  

Organisations may be required to respond to an individual's request in a relatively short time frame (between 30 and 45 days, depending on the legislation) and without any, or only a minimal, fee. Extensions of response time periods may be available depending on the circumstances and the applicable law.

If an individual can demonstrate that his information is inaccurate or incomplete, the organisation may be required to make appropriate changes and inform any third parties that have received this information of the changes. In certain circumstances an organisation can refuse to make a requested correction, but may be required to annotate the applicable records to indicate that a correction was requested but not made.

SECURITY REQUIREMENTS

14. What security requirements are imposed in relation to personal data?

Organisations must implement safeguards to protect personal information against:

• Loss or theft.
  
  
• Unauthorised access, collection, use, disclosure, copying, modification, disposal or destruction.
  
  
• Other similar risks.
  
  

Generally, the nature of the safeguards required varies depending on the:

• Sensitivity of the information collected (organisations must protect personal information with safeguards appropriate to the sensitivity of the information).
  
  
• Amount, distribution and format of the information.
  
  
• Method of storage.
  
  

When considering the nature of the safeguards to be employed, organisations should consider:

• Physical protection, such as locked cabinets and restrictedaccess areas.
  
  
• Organisational safeguards, such as security clearances or limiting access on a need-to-know basis.
  
  
• Technological measures, such as passwords and encryption.
  
  

PROCESSING BY THIRD PARTIES

15. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Generally, an organisation is responsible for ensuring that third parties acting on its behalf comply with privacy laws if:

• The third party collects, uses, processes or discloses personal information on behalf of the organisation.
  
  

• Personal information collected by or for the organisation is in the custody of the third party.
  
  

This applies whether the third party is within or outside of Canada.

The risks associated with these obligations are often addressed through contractual arrangements with the third parties to ensure that they:

• Comply with all applicable laws.
  
  
• Apply the same standards and care as the organisation.
  
  

INTERNATIONAL TRANSFER OF DATA

16. What rules govern the transfer of data outside your jurisdiction?

Personal information collected in Canada and transferred to another jurisdiction is subject to the same privacy rules as personal information collected and disclosed within Canada.

Canada's privacy commissioners are likely to assert jurisdiction over foreign disclosures and require the disclosing organisation to follow all the applicable Canadian rules, particularly those relating to use and disclosure (that is, that use or disclosure must be for a reasonable purpose and limited to the extent necessary to meet this purpose, and an individual must consent to, or be notified of, the collection, use or disclosure of his personal information).

17. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Although data transfer or privacy compliance agreements are used in Canada, no standard forms or precedents have been approved by national authorities.

18. I s a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A data processing agreement should ensure that the transferee will comply with privacy laws, as the transferring organisation remains responsible for privacy obligations (see Question 15).

Generally, any transfer of personal information within Canada or to another jurisdiction will only be permitted if:

• The disclosure is for a reasonable purpose and limited to the extent necessary to meet this purpose.
  
  
• The individual has consented to, or been notified of, the disclosure of his personal information, in the manner required by the applicable law.
  
  
• All other requirements for disclosure specified in the applicable legislation have been met.
  
  

19. Does the relevant national regulator need to approve the data transfer agreement? If so, please provide brief details.

Data transfer agreements do not need to be approved by privacy commissioners.

ENFORCEMENT AND SANCTIONS

20. What are the enforcement powers of the national regulator?

Federal

Individuals can submit written complaints to the Federal Privacy Commissioner about any activity that they believe contravenes PIPEDA. The Federal Privacy Commissioner can also initiate a review.

When conducting an investigation, the Federal Privacy Commissioner can:

• Summon and compel a witness to give evidence under oath, and to produce records and things, in the same manner as a superior court.
  
  
• Administer oaths.
  
  
• Accept evidence that would not be admissible in a court.
  
  
• Enter premises other than a dwelling house, provided any security requirements of the organisation are met.
  
  
• Converse in private with anyone on any premises that is entered for investigation.
  
  
• Examine or obtain copies of, or extracts from, records held on investigated premises.
  
  

Within one year of receiving a complaint or initiating an investigation, the Privacy Commissioner must prepare a report unless she determines any of the following:

• Other grievance procedures need to be exhausted first.
  
  
• Another legal procedure would be more appropriate to deal with the complaint.
  
  
• A report would not be useful.
  
  
• The complaint is frivolous.
  
  

The report includes:

• Findings and recommendations.
  
  
• A description of any settlement.
  
  
• If appropriate, a request that the Privacy Commissioner be given notice of any action taken to implement the recommendations or reasons why action is not taken.
  
  

After a report is issued, a complainant can then apply to the relevant court for a hearing in respect of any matter relating to the complaint.

The Privacy Commissioner can also audit the privacy practices of an organisation subject to her jurisdiction on reasonable notice.

Provincial

The provincial privacy commissioners generally have the same or stronger powers of enforcement as the federal Privacy Commissioner. In particular, they can:

• Conduct investigations to ensure compliance with their legislation.
  
  
• Initiate investigations of their own accord.
  
  
• Receive, investigate and resolve complaints.
  
  
• Mediate settlements.
  
  
• Make binding orders.
  
  
• Give advice to organisations on compliance.
  
  
• Give advance rulings on issues arising under the legislation.
  
  
• Conduct a formal inquiry.
• 
  
  

21. What are the sanctions and remedies for non-compliance with the data protection laws? To what extent are the laws actively enforced?

Federal

Fines of up to Can$10,000 (about US$10,000) on summary conviction or Can$100,000 (about US$100,000) on indictment can be issued for:

• Obstructing an investigation or audit by the Privacy Commissioner.
  
  
• Unlawfully destroying evidence.
  
  
• Retaliating against an employee for initiating a complaint or inquiry.
  
  

The Federal Court can order an organisation to:

• Correct its practices.
  
  
• Publish a notice of any action taken, or proposed to be taken, to correct its practices.
  
  
• Pay civil damages to a complainant, including damages for any humiliation suffered.
  
  

Provincial

In addition to the various Commissioners' broad order-making powers, fines can be imposed, the amount of which vary depending on the province:

• Alberta. Individuals can be fined up to Can$10,000 and entities can be fined up to Can$100,000.
  
  
• British Columbia. Individuals can be fined up to Can$10,000 and entities can be fined up to Can$100,000.
  
  
• Québec. The maximum fine is Can$20,000 (about US$20,000).
  
  

Organisations can also face civil liability for the breach of provincial privacy legislation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.