Bill C-54, the federal Personal Information Protection and Electronic Documents Act, has passed second reading and been referred to the Standing Committee on Industry. Part I of the Bill is intended to protect personal information collected, used or disclosed in the private sector, including information about customers and employees.
Initially, the legislation will apply to the federally-regulated private sector, many federal Crown corporations, and to international or inter-provincial trade in personal information. Three years after it comes into effect, the law will apply more broadly to cover all personal information collected, used or disclosed in the course of commercial activities. However, if a province adopts substantially similar legislation, the federal law will no longer apply to organizations covered by the provincial law. The Bill defines the “organizations” to which it applies as including associations, partnerships, persons and trade unions. The provisions will not apply to personal information collected, used or disclosed solely for journalistic, artistic or literary purposes.
The privacy provisions in Part I are based on the Canadian Standards Association’s Model Code for the Protection of Personal Information. They include:
An organization is responsible for the personal information under its control and must designate one or more persons to be accountable for complying with the legislation’s requirements. Organizations must implement practices to preserve privacy, such as procedures to protect personal information, and a complaints process.
Identifying Purposes; Limiting Collection, Use, Disclosure and Retention
Organizations must identify the purposes for which they collect personal information and must limit collection to what is necessary for those purposes, using only fair and lawful means. Information may be used or disclosed only for the purpose for which it was collected, except with the consent of the person to whom it relates or in the specific circumstances set out in the Bill. The information may be retained only as long as necessary for its purpose, after which it should be destroyed or made anonymous. If the information has been used to make a decision about an individual, it must be retained long enough to allow that person access to it after the decision has been made.
Information may be collected, used or disclosed only with the knowledge and consent of the individual concerned, except where inappropriate. Collection, use or disclosure of information may occur without consent in a number of limited circumstances. For example, information may be collected without knowledge or consent where the collection is clearly in the individual’s interest and consent cannot be obtained in a timely way, or where it is reasonable to expect that collection from the individual would compromise the accuracy of the information, defeat the purpose or prejudice the use for which it is collected. Information may be used without knowledge or consent for the investigation of an offence, or in an emergency situation that threatens a person’s life, health or security.
Personal information must be protected by security safeguards, the nature of which depends on the sensitivity of the information at issue.
Upon request, individuals must be informed of the existence, use or disclosure of personal information, must be given access to that information, and have the right to challenge its accuracy and completeness and to have it amended. However, access may be refused in a number of circumstances, such as where solicitor-client privilege applies, in certain situations where access would reveal information about a third party or confidential commercial information, or if it would entail prohibitive cost.
Because individuals are entitled to challenge an organization’s compliance with the legislation’s requirements, organizations must implement complaint procedures, investigate all complaints, and take appropriate measures where a complaint is justified.
Among other powers, the Privacy Commissioner may receive or initiate complaints against an organization alleged to have contravened the legislation. He or she may investigate complaints and use dispute resolution mechanisms, such as mediation and conciliation. In specified circumstances, a complainant may then apply to the Federal Court for a hearing. By way of remedy, the Court may, in addition to its normal powers, order an organization to correct its practices to comply with the Act and award damages to the complainant, including damages for humiliation suffered and punitive damages up to $20,000.
For further information, please contact George Rontiris at (613) 563-7660, Extension 275.