An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision ActPersonal Information Protection and Electronic Documents ActPersonal Information Protection and Electronic Documents20004
13
20196
22
P-8.652000Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:Short TitleShort titleThis Act may be cited as the Personal Information Protection and Electronic Documents Act.Protection of Personal Information in the Private SectorInterpretationDefinitionsThe definitions in this subsection apply in this Part.alternative format, with respect to personal information, means a format that allows a person with a sensory disability to read or listen to the personal information. (support de substitution)breach of security safeguards means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards. (atteinte aux mesures de sécurité)business contact information means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address. (coordonnées d’affaires)business transaction includesthe purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;the merger or amalgamation of two or more organizations;the making of a loan or provision of other financing to an organization or a part of an organization;the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;the lease or licensing of any of an organization’s assets; andany other prescribed arrangement between two or more organizations to conduct a business activity. (transaction commerciale)commercial activity means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. (activité commerciale)Commissioner means the Privacy Commissioner appointed under section 53 of the Privacy Act. (commissaire)Court means the Federal Court. (Cour)federal work, undertaking or business means any work, undertaking or business that is within the legislative authority of Parliament. It includesa work, undertaking or business that is operated or carried on for or in connection with navigation and shipping, whether inland or maritime, including the operation of ships and transportation by ship anywhere in Canada;a railway, canal, telegraph or other work or undertaking that connects a province with another province, or that extends beyond the limits of a province;a line of ships that connects a province with another province, or that extends beyond the limits of a province;a ferry between a province and another province or between a province and a country other than Canada;aerodromes, aircraft or a line of air transportation;a radio broadcasting station;a bank or an authorized foreign bank as defined in section 2 of the Bank Act;a work that, although wholly situated within a province, is before or after its execution declared by Parliament to be for the general advantage of Canada or for the advantage of two or more provinces;a work, undertaking or business outside the exclusive legislative authority of the legislatures of the provinces; anda work, undertaking or business to which federal laws, within the meaning of section 2 of the Oceans Act, apply under section 20 of that Act and any regulations made under paragraph 26(1)(k) of that Act. (entreprises fédérales)organization includes an association, a partnership, a person and a trade union. (organisation)personal health information, with respect to an individual, whether living or deceased, meansinformation concerning the physical or mental health of the individual;information concerning any health service provided to the individual;information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;information that is collected in the course of providing health services to the individual; orinformation that is collected incidentally to the provision of health services to the individual. (renseignement personnel sur la santé)personal information means information about an identifiable individual. (renseignement personnel)prescribed means prescribed by regulation. (Version anglaise seulement)record includes any correspondence, memorandum, book, plan, map, drawing, diagram, pictorial or graphic work, photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material, regardless of physical form or characteristics, and any copy of any of those things. (document)Notes in Schedule 1In this Part, a reference to clause 4.3 or 4.9 of Schedule 1 does not include a reference to the note that accompanies that clause.2000, c. 5, s. 2; 2002, c. 8, s. 183; 2015, c. 32, s. 2PurposePurposeThe purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.ApplicationApplicationThis Part applies to every organization in respect of personal information thatthe organization collects, uses or discloses in the course of commercial activities; oris about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.ApplicationThis Part applies to an organization set out in column 1 of Schedule 4 in respect of personal information set out in column 2.LimitThis Part does not apply toany government institution to which the Privacy Act applies;any individual in respect of personal information that the individual collects, uses or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; orany organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic or literary purposes and does not collect, use or disclose for any other purpose.Other ActsEvery provision of this Part applies despite any provision, enacted after this subsection comes into force, of any other Act of Parliament, unless the other Act expressly declares that that provision operates despite the provision of this Part.[Note: Subsection 4(3) in force January 1, 2001, see SI/2000-29.]2000, c. 5, s. 4; 2015, c. 32, s. 3, c. 36, s. 164Business contact informationThis Part does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.2015, c. 32, s. 4Certificate under Canada Evidence ActWhere a certificate under section 38.13 of the Canada Evidence Act prohibiting the disclosure of personal information of a specific individual is issued before a complaint is filed by that individual under this Part in respect of a request for access to that information, the provisions of this Part respecting that individual’s right of access to his or her personal information do not apply to the information that is subject to the certificate.Certificate following filing of complaintNotwithstanding any other provision of this Part, where a certificate under section 38.13 of the Canada Evidence Act prohibiting the disclosure of personal information of a specific individual is issued after the filing of a complaint under this Part in relation to a request for access to that information:all proceedings under this Part in respect of that information, including an investigation, audit, appeal or judicial review, are discontinued;the Commissioner shall not disclose the information and shall take all necessary precautions to prevent its disclosure; andthe Commissioner shall, within 10 days after the certificate is published in the Canada Gazette, return the information to the organization that provided the information.Information not to be disclosedThe Commissioner and every person acting on behalf or under the direction of the Commissioner, in carrying out their functions under this Part, shall not disclose information subject to a certificate issued under section 38.13 of the Canada Evidence Act, and shall take every reasonable precaution to avoid the disclosure of that information.Power to delegateThe Commissioner may not delegate the investigation of any complaint relating to information subject to a certificate issued under section 38.13 of the Canada Evidence Act except to one of a maximum of four officers or employees of the Commissioner specifically designated by the Commissioner for the purpose of conducting that investigation.2001, c. 41, s. 103Protection of Personal InformationCompliance with obligationsSubject to sections 6 to 9, every organization shall comply with the obligations set out in Schedule 1.Meaning of shouldThe word should, when used in Schedule 1, indicates a recommendation and does not impose an obligation.Appropriate purposesAn organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.Effect of designation of individualThe designation of an individual under clause 4.1 of Schedule 1 does not relieve the organization of the obligation to comply with the obligations set out in that Schedule.Valid consentFor the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.2015, c. 32, s. 5Collection without knowledge or consentFor the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only ifthe collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;the collection is solely for journalistic, artistic or literary purposes;the information is publicly available and is specified by the regulations; orthe collection is made for the purpose of making a disclosureunder subparagraph (3)(c.1)(i) or (d)(ii), orthat is required by law.Use without knowledge or consentFor the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only ifin the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention;it is used for the purpose of acting in respect of an emergency that threatens the life, health or security of an individual;the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced;it is used for statistical, or scholarly study or research, purposes that cannot be achieved without using the information, the information is used in a manner that will ensure its confidentiality, it is impracticable to obtain consent and the organization informs the Commissioner of the use before the information is used;it is publicly available and is specified by the regulations; orit was collected under paragraph (1)(a), (b) or (e).Disclosure without knowledge or consentFor the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure ismade to, in the Province of Quebec, an advocate or notary or, in any other province, a barrister or solicitor who is representing the organization;for the purpose of collecting a debt owed by the individual to the organization;required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated thatit suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,the disclosure is requested for the purpose of administering any law of Canada or a province, orthe disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section;made on the initiative of the organization to a government institution or a part of a government institution and the organizationhas reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, orsuspects that the information relates to national security, the defence of Canada or the conduct of international affairs;made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;made on the initiative of the organization to a government institution, a part of a government institution or the individual’s next of kin or authorized representative andthe organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse,the disclosure is made solely for purposes related to preventing or investigating the abuse, andit is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse;necessary to identify the individual who is injured, ill or deceased, made to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and, if the individual is alive, the organization informs that individual in writing without delay of the disclosure;made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;of information that is contained in a witness statement and the disclosure is necessary to assess, process or settle an insurance claim;of information that was produced by the individual in the course of their employment, business or profession and the disclosure is consistent with the purposes for which the information was produced;for statistical, or scholarly study or research, purposes that cannot be achieved without disclosing the information, it is impracticable to obtain consent and the organization informs the Commissioner of the disclosure before the information is disclosed;made to an institution whose functions include the conservation of records of historic or archival importance, and the disclosure is made for the purpose of such conservation;made after the earlier ofone hundred years after the record containing the information was created, andtwenty years after the death of the individual whom the information is about;of information that is publicly available and is specified by the regulations; or[Repealed, 2015, c. 32, s. 6]required by law.Use without consentDespite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection (2).Disclosure without consentDespite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.1).2000, c. 5, s. 7, c. 17, s. 97; 2001, c. 41, s. 81; 2004, c. 15, s. 98; 2015, c. 32, s. 6DefinitionsThe following definitions apply in this section.access means to program, to execute programs on, to communicate with, to store data in, to retrieve data from, or to otherwise make use of any resources, including data or programs on a computer system or a computer network. (utiliser)computer program has the same meaning as in subsection 342.1(2) of the Criminal Code. (programme d’ordinateur)computer system has the same meaning as in subsection 342.1(2) of the Criminal Code. (ordinateur)electronic address means an address used in connection withan electronic mail account;an instant messaging account; orany similar account. (adresse électronique)Collection of electronic addresses, etc.Paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect ofthe collection of an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; orthe use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a).Accessing a computer system to collect personal information, etc.Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect ofthe collection of personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament; orthe use of personal information that is collected in a manner described in paragraph (a).2010, c. 23, s. 82; 2015, c. 32, s. 26Prospective business transactionIn addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual ifthe organizations have entered into an agreement that requires the organization that receives the personal informationto use and disclose that information solely for purposes related to the transaction,to protect that information by security safeguards appropriate to the sensitivity of the information, andif the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; andthe personal information is necessaryto determine whether to proceed with the transaction, andif the determination is made to proceed with the transaction, to complete it.Completed business transactionIn addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual ifthe organizations have entered into an agreement that requires each of themto use and disclose the personal information under its control solely for the purposes for which the personal information was collected, permitted to be used or disclosed before the transaction was completed,to protect that information by security safeguards appropriate to the sensitivity of the information, andto give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;the personal information is necessary for carrying on the business or activity that was the object of the transaction; andone of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).Agreements bindingAn organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).ExceptionSubsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information.2015, c. 32, s. 7Employment relationshipIn addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual ifthe collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; andthe federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.2015, c. 32, s. 7Use without consentDespite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.Disclosure without consentDespite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.2015, c. 32, s. 7Written requestA request under clause 4.9 of Schedule 1 must be made in writing.AssistanceAn organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.Time limitAn organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.Extension of time limitAn organization may extend the time limitfor a maximum of thirty days ifmeeting the time limit would unreasonably interfere with the activities of the organization, orthe time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; orfor the period that is necessary in order to be able to convert the personal information into an alternative format.In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.Deemed refusalIf the organization fails to respond within the time limit, the organization is deemed to have refused the request.Costs for respondingAn organization may respond to an individual’s request at a cost to the individual only ifthe organization has informed the individual of the approximate cost; andthe individual has advised the organization that the request is not being withdrawn.ReasonsAn organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.Retention of informationDespite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.2000, c. 5, s. 8; 2015, c. 32, s. 8(F)When access prohibitedDespite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.LimitSubsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual’s life, health or security is threatened.Information related to paragraphs 7(3)(c), (c.1) or (d)An organization shall comply with subsection (2.2) if an individual requests that the organizationinform the individual aboutany disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), orthe existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); orgive the individual access to the information referred to in subparagraph (a)(ii).Notification and responseAn organization to which subsection (2.1) appliesshall, in writing and without delay, notify the institution or part concerned of the request made by the individual; andshall not respond to the request before the earlier ofthe day on which it is notified under subsection (2.3), andthirty days after the day on which the institution or part was notified.ObjectionWithin thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious tonational security, the defence of Canada or the conduct of international affairs;the detection, prevention or deterrence of money laundering or the financing of terrorist activities; orthe enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.ProhibitionDespite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organizationshall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);shall notify the Commissioner, in writing and without delay, of the refusal; andshall not disclose to the individualany information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), orthat the institution or part objects.When access may be refusedDespite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only ifthe information is protected by solicitor-client privilege or the professional secrecy of advocates and notaries or by litigation privilege;to do so would reveal confidential commercial information;to do so could reasonably be expected to threaten the life or security of another individual;the information was collected under paragraph 7(1)(b);the information was generated in the course of a formal dispute resolution process; orthe information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.However, in the circumstances described in paragraph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.LimitSubsection (3) does not apply if the individual needs the information because an individual’s life, health or security is threatened.NoticeIf an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.2000, c. 5, s. 9, c. 17, s. 97; 2001, c. 41, s. 82; 2005, c. 46, s. 57; 2006, c. 9, s. 223; 2015, c. 32, s. 92019, c. 18, s. 61Sensory disabilityAn organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format ifa version of the information already exists in that format; orits conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Part.Breaches of Security SafeguardsReport to CommissionerAn organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.Report requirementsThe report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred.Notification to individualUnless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.Contents of notificationThe notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.Form and mannerThe notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.Time to give notificationThe notification shall be given as soon as feasible after the organization determines that the breach has occurred.Definition of significant harmFor the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.Real risk of significant harm — factorsThe factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual includethe sensitivity of the personal information involved in the breach;the probability that the personal information has been, is being or will be misused; andany other prescribed factor.2015, c. 32, s. 10Notification to organizationsAn organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.Time to give notificationThe notification shall be given as soon as feasible after the organization determines that the breach has occurred.Disclosure of personal informationIn addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual ifthe disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); andthe disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.Disclosure without consentDespite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in the circumstance set out in subsection (3).2015, c. 32, s. 10RecordsAn organization shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control.Provision to CommissionerAn organization shall, on request, provide the Commissioner with access to, or a copy of, a record.2015, c. 32, s. 10RemediesFiling of ComplaintsContraventionAn individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.Commissioner may initiate complaintIf the Commissioner is satisfied that there are reasonable grounds to investigate a matter under this Part, the Commissioner may initiate a complaint in respect of the matter.Time limitA complaint that results from the refusal to grant a request under section 8 must be filed within six months, or any longer period that the Commissioner allows, after the refusal or after the expiry of the time limit for responding to the request, as the case may be.NoticeThe Commissioner shall give notice of a complaint to the organization against which the complaint was made.2000, c. 5, s. 11; 2015, c. 32, s. 11Investigations of ComplaintsExamination of complaint by CommissionerThe Commissioner shall conduct an investigation in respect of a complaint, unless the Commissioner is of the opinion thatthe complainant ought first to exhaust grievance or review procedures otherwise reasonably available;the complaint could more appropriately be dealt with, initially or completely, by means of a procedure provided for under the laws of Canada, other than this Part, or the laws of a province; orthe complaint was not filed within a reasonable period after the day on which the subject matter of the complaint arose.ExceptionDespite subsection (1), the Commissioner is not required to conduct an investigation in respect of an act alleged in a complaint if the Commissioner is of the opinion that the act, if proved, would constitute a contravention of any of sections 6 to 9 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act or section 52.01 of the Competition Act or would constitute conduct that is reviewable under section 74.011 of that Act.NotificationThe Commissioner shall notify the complainant and the organization that the Commissioner will not investigate the complaint or any act alleged in the complaint and give reasons.Compelling reasonsThe Commissioner may reconsider a decision not to investigate under subsection (1), if the Commissioner is satisfied that the complainant has established that there are compelling reasons to investigate.2000, c. 5, s. 12; 2010, c. 23, s. 83Powers of CommissionerIn the conduct of an investigation of a complaint, the Commissioner maysummon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary to investigate the complaint, in the same manner and to the same extent as a superior court of record;administer oaths;receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;at any reasonable time, enter any premises, other than a dwelling-house, occupied by an organization on satisfying any security requirements of the organization relating to the premises;converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; andexamine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contain any matter relevant to the investigation.Dispute resolution mechanismsThe Commissioner may attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.DelegationThe Commissioner may delegate any of the powers set out in subsection (1) or (2).Return of recordsThe Commissioner or the delegate shall return to a person or an organization any record or thing that they produced under this section within 10 days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.Certificate of delegationAny person to whom powers set out in subsection (1) are delegated shall be given a certificate of the delegation and the delegate shall produce the certificate, on request, to the person in charge of any premises to be entered under paragraph (1)(d).2010, c. 23, s. 83Discontinuance of InvestigationReasonsThe Commissioner may discontinue the investigation of a complaint if the Commissioner is of the opinion thatthere is insufficient evidence to pursue the investigation;the complaint is trivial, frivolous or vexatious or is made in bad faith;the organization has provided a fair and reasonable response to the complaint;the matter is the object of a compliance agreement entered into under subsection 17.1(1);the matter is already the object of an ongoing investigation under this Part;the matter has already been the subject of a report by the Commissioner;any of the circumstances mentioned in paragraph 12(1)(a), (b) or (c) apply; orthe matter is being or has already been addressed under a procedure referred to in paragraph 12(1)(a) or (b).Other reasonThe Commissioner may discontinue an investigation in respect of an act alleged in a complaint if the Commissioner is of the opinion that the act, if proved, would constitute a contravention of any of sections 6 to 9 of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act or section 52.01 of the Competition Act or would constitute conduct that is reviewable under section 74.011 of that Act.NotificationThe Commissioner shall notify the complainant and the organization that the investigation has been discontinued and give reasons.2010, c. 23, s. 83; 2015, c. 32, s. 12Commissioner’s ReportContentsThe Commissioner shall, within one year after the day on which a complaint is filed or is initiated by the Commissioner, prepare a report that containsthe Commissioner’s findings and recommendations;any settlement that was reached by the parties;if appropriate, a request that the organization give the Commissioner, within a specified time, notice of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken; andthe recourse, if any, that is available under section 14.[Repealed, 2010, c. 23, s. 84]Report to partiesThe report shall be sent to the complainant and the organization without delay.2000, c. 5, s. 13; 2010, c. 23, s. 84Hearing by CourtApplicationA complainant may, after receiving the Commissioner’s report or being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1 or 1.1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.1.Time for applicationA complainant shall make an application within one year after the report or notification is sent or within any longer period that the Court may, either before or after the expiry of that year, allow.For greater certaintyFor greater certainty, subsections (1) and (2) apply in the same manner to complaints referred to in subsection 11(2) as to complaints referred to in subsection 11(1).2000, c. 5, s. 14; 2010, c. 23, s. 85; 2015, c. 32, s. 13Commissioner may apply or appearThe Commissioner may, in respect of a complaint that the Commissioner did not initiate,apply to the Court, within the time limited by section 14, for a hearing in respect of any matter described in that section, if the Commissioner has the consent of the complainant;appear before the Court on behalf of any complainant who has applied for a hearing under section 14; orwith leave of the Court, appear as a party to any hearing applied for under section 14.RemediesThe Court may, in addition to any other remedies it may give,order an organization to correct its practices in order to comply with Divisions 1 and 1.1;order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); andaward damages to the complainant, including damages for any humiliation that the complainant has suffered.2000, c. 5, s. 16; 2015, c. 32, s. 14Summary hearingsAn application made under section 14 or 15 shall be heard and determined without delay and in a summary way unless the Court considers it inappropriate to do so.PrecautionsIn any proceedings arising from an application made under section 14 or 15, the Court shall take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1.Compliance AgreementsCompliance agreementIf the Commissioner believes on reasonable grounds that an organization has committed, is about to commit or is likely to commit an act or omission that could constitute a contravention of a provision of Division 1 or 1.1 or a failure to follow a recommendation set out in Schedule 1, the Commissioner may enter into a compliance agreement, aimed at ensuring compliance with this Part, with that organization.TermsA compliance agreement may contain any terms that the Commissioner considers necessary to ensure compliance with this Part.Effect of compliance agreement — no applicationWhen a compliance agreement is entered into, the Commissioner, in respect of any matter covered under the agreement,shall not apply to the Court for a hearing under subsection 14(1) or paragraph 15(a); andshall apply to the court for the suspension of any pending applications that were made by the Commissioner under those provisions.For greater certaintyFor greater certainty, a compliance agreement does not precludean individual from applying for a hearing under section 14; orthe prosecution of an offence under the Act.2015, c. 32, s. 15Agreement complied withIf the Commissioner is of the opinion that a compliance agreement has been complied with, the Commissioner shall provide written notice to that effect to the organization and withdraw any applications that were made under subsection 14(1) or paragraph 15(a) in respect of any matter covered under the agreement.Agreement not complied withIf the Commissioner is of the opinion that an organization is not complying with the terms of a compliance agreement, the Commissioner shall notify the organization and may apply to the Court foran order requiring the organization to comply with the terms of the agreement, in addition to any other remedies it may give; ora hearing under subsection 14(1) or paragraph 15(a) or to reinstate proceedings that have been suspended as a result of an application made under paragraph 17.1(3)(b).Time for applicationDespite subsection 14(2), the application shall be made within one year after notification is sent or within any longer period that the Court may, either before or after the expiry of that year, allow.2015, c. 32, s. 15AuditsTo ensure complianceThe Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization has contravened a provision of Division 1 or 1.1 or is not following a recommendation set out in Schedule 1, and for that purpose maysummon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary for the audit, in the same manner and to the same extent as a superior court of record;administer oaths;receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;at any reasonable time, enter any premises, other than a dwelling-house, occupied by the organization on satisfying any security requirements of the organization relating to the premises;converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; andexamine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contain any matter relevant to the audit.DelegationThe Commissioner may delegate any of the powers set out in subsection (1).Return of recordsThe Commissioner or the delegate shall return to a person or an organization any record or thing they produced under this section within ten days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.Certificate of delegationAny person to whom powers set out in subsection (1) are delegated shall be given a certificate of the delegation and the delegate shall produce the certificate, on request, to the person in charge of any premises to be entered under paragraph (1)(d).2000, c. 5, s. 18; 2015, c. 32, s. 16Report of findings and recommendationsAfter an audit, the Commissioner shall provide the audited organization with a report that contains the findings of the audit and any recommendations that the Commissioner considers appropriate.Reports may be included in annual reportsThe report may be included in a report made under section 25.GeneralConfidentialitySubject to subsections (2) to (7), 12(3), 12.2(3), 13(3), 19(1), 23(3) and 23.1(1) and section 25, the Commissioner or any person acting on behalf or under the direction of the Commissioner shall not disclose any information that comes to their knowledge as a result of the performance or exercise of any of the Commissioner’s duties or powers under this Part other than those referred to in subsection 10.1(1) or 10.3(2).Confidentiality — reports and recordsSubject to subsections (2) to (7), 12(3), 12.2(3), 13(3), 19(1), 23(3) and 23.1(1) and section 25, the Commissioner or any person acting on behalf or under the direction of the Commissioner shall not disclose any information contained in a report made under subsection 10.1(1) or in a record obtained under subsection 10.3(2).Public interestThe Commissioner may, if the Commissioner considers that it is in the public interest to do so, make public any information that comes to his or her knowledge in the performance or exercise of any of his or her duties or powers under this Part.Disclosure of necessary informationThe Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose, information that in the Commissioner’s opinion is necessary toconduct an investigation or audit under this Part; orestablish the grounds for findings and recommendations contained in any report under this Part.Disclosure in the course of proceedingsThe Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose, information in the course ofa prosecution for an offence under section 28;a prosecution for an offence under section 132 of the Criminal Code (perjury) in respect of a statement made under this Part;a hearing before the Court under this Part;an appeal from a decision of the Court; ora judicial review in relation to the performance or exercise of any of the Commissioner’s duties or powers under this Part.Disclosure of offence authorizedThe Commissioner may disclose to the Attorney General of Canada or of a province, as the case may be, information relating to the commission of an offence against any law of Canada or a province on the part of an officer or employee of an organization if, in the Commissioner’s opinion, there is evidence of an offence.Disclosure of breach of security safeguardsThe Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose to a government institution or a part of a government institution, any information contained in a report made under subsection 10.1(1) or in a record obtained under subsection 10.3(2) if the Commissioner has reasonable grounds to believe that the information could be useful in the investigation of a contravention of the laws of Canada or a province that has been, is being or is about to be committed.DisclosureThe Commissioner may disclose information, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose information, in the course of proceedings in which the Commissioner has intervened under paragraph 50(c) of An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act or in accordance with subsection 58(3) or 60(1) of that Act.2000, c. 5, s. 20; 2010, c. 23, s. 86; 2015, c. 32, ss. 17, 26Not competent witnessThe Commissioner or person acting on behalf or under the direction of the Commissioner is not a competent witness in respect of any matter that comes to their knowledge as a result of the performance or exercise of any of the Commissioner’s duties or powers under this Part in any proceeding other thana prosecution for an offence under section 28;a prosecution for an offence under section 132 of the Criminal Code (perjury) in respect of a statement made under this Part;a hearing before the Court under this Part; oran appeal from a decision of the Court.Protection of CommissionerNo criminal or civil proceedings lie against the Commissioner, or against any person acting on behalf or under the direction of the Commissioner, for anything done, reported or said in good faith as a result of the performance or exercise or purported performance or exercise of any duty or power of the Commissioner under this Part.DefamationNo action lies in defamation with respect toanything said, any information supplied or any record or thing produced in good faith in the course of an investigation or audit carried out by or on behalf of the Commissioner under this Part; andany report made in good faith by the Commissioner under this Part and any fair and accurate account of the report made in good faith for the purpose of news reporting.2000, c. 5, s. 22; 2015, c. 32, s. 18Consultations with provincesIf the Commissioner considers it appropriate to do so, or on the request of an interested person, the Commissioner may, in order to ensure that personal information is protected in as consistent a manner as possible, consult with any person who, under provincial legislation, has functions and duties similar to those of the Commissioner with respect to the protection of such information.Agreements or arrangements with provincesThe Commissioner may enter into agreements or arrangements with any person referred to in subsection (1) in order tocoordinate the activities of their offices and the office of the Commissioner, including to provide for mechanisms for the handling of any complaint in which they are mutually interested;undertake and publish research or develop and publish guidelines or other instruments related to the protection of personal information;develop model contracts or other instruments for the protection of personal information that is collected, used or disclosed interprovincially or internationally; anddevelop procedures for sharing information referred to in subsection (3).Sharing of information with provincesThe Commissioner may, in accordance with any procedure established under paragraph (2)(d), share information with any person referred to in subsection (1), if the informationcould be relevant to an ongoing or potential investigation of a complaint or audit under this Part or provincial legislation that has objectives that are similar to this Part; orcould assist the Commissioner or that person in the exercise of their functions and duties with respect to the protection of personal information.Purpose and confidentialityThe procedures referred to in paragraph (2)(d) shallrestrict the use of the information to the purpose for which it was originally shared; andstipulate that the information be treated in a confidential manner and not be further disclosed without the express consent of the Commissioner.2000, c. 5, s. 23; 2010, c. 23, s. 87Disclosure of information to foreign stateSubject to subsection (3), the Commissioner may, in accordance with any procedure established under paragraph (4)(b), disclose information referred to in subsection (2) that has come to the Commissioner’s knowledge as a result of the performance or exercise of any of the Commissioner’s duties or powers under this Part to any person or body who, under the legislation of a foreign state, hasfunctions and duties similar to those of the Commissioner with respect to the protection of personal information; orresponsibilities that relate to conduct that is substantially similar to conduct that would be in contravention of this Part.Information that can be sharedThe information that the Commissioner is authorized to disclose under subsection (1) is information that the Commissioner believeswould be relevant to an ongoing or potential investigation or proceeding in respect of a contravention of the laws of a foreign state that address conduct that is substantially similar to conduct that would be in contravention of this Part; oris necessary to disclose in order to obtain from the person or body information that may be useful to an ongoing or potential investigation or audit under this Part.Written arrangementsThe Commissioner may only disclose information to the person or body referred to in subsection (1) if the Commissioner has entered into a written arrangement with that person or body thatlimits the information to be disclosed to that which is necessary for the purpose set out in paragraph (2)(a) or (b);restricts the use of the information to the purpose for which it was originally shared; andstipulates that the information be treated in a confidential manner and not be further disclosed without the express consent of the Commissioner.ArrangementsThe Commissioner may enter into arrangements with one or more persons or bodies referred to in subsection (1) in order toprovide for cooperation with respect to the enforcement of laws protecting personal information, including the sharing of information referred to in subsection (2) and the provision of mechanisms for the handling of any complaint in which they are mutually interested;establish procedures for sharing information referred to in subsection (2);develop recommendations, resolutions, rules, standards or other instruments with respect to the protection of personal information;undertake and publish research related to the protection of personal information;share knowledge and expertise by different means, including through staff exchanges; oridentify issues of mutual interest and determine priorities pertaining to the protection of personal information.2010, c. 23, s. 87Promoting the purposes of the PartThe Commissioner shalldevelop and conduct information programs to foster public understanding, and recognition of the purposes, of this Part;undertake and publish research that is related to the protection of personal information, including any such research that is requested by the Minister of Industry;encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with Divisions 1 and 1.1; andpromote, by any means that the Commissioner considers appropriate, the purposes of this Part.2000, c. 5, s. 24; 2015, c. 32, s. 19Annual reportThe Commissioner shall, within three months after the end of each financial year, submit to Parliament a report concerning the application of this Part, the extent to which the provinces have enacted legislation that is substantially similar to this Part and the application of any such legislation.ConsultationBefore preparing the report, the Commissioner shall consult with those persons in the provinces who, in the Commissioner’s opinion, are in a position to assist the Commissioner in making a report respecting personal information that is collected, used or disclosed interprovincially or internationally.2000, c. 5, s. 25; 2015, c. 32, s. 20RegulationsThe Governor in Council may make regulations for carrying out the purposes and provisions of this Part, including regulationsspecifying, by name or by class, what is a government institution or part of a government institution for the purposes of any provision of this Part;[Repealed, 2015, c. 32, s. 21]specifying information or classes of information for the purpose of paragraph 7(1)(d), (2)(c.1) or (3)(h.1);specifying information to be kept and maintained under subsection 10.3(1); andprescribing anything that by this Part is to be prescribed.OrdersThe Governor in Council may, by order,provide that this Part is binding on any agent of Her Majesty in right of Canada to which the Privacy Act does not apply;if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province; andamend Schedule 4.2000, c. 5, s. 26; 2015, c. 32, s. 21, c. 36, s. 165WhistleblowingAny person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1 or 1.1 may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.ConfidentialityThe Commissioner shall keep confidential the identity of a person who has notified the Commissioner under subsection (1) and to whom an assurance of confidentiality has been provided by the Commissioner.2000, c. 5, s. 27; 2015, c. 32, s. 22ProhibitionNo employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny an employee a benefit of employment, by reason thatthe employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that the employer or any other person has contravened or intends to contravene a provision of Division 1 or 1.1;the employee, acting in good faith and on the basis of reasonable belief, has refused or stated an intention of refusing to do anything that is a contravention of a provision of Division 1 or 1.1;the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order that a provision of Division 1 or 1.1 not be contravened; orthe employer believes that the employee will do anything referred to in paragraph (a), (b) or (c).SavingNothing in this section impairs any right of an employee either at law or under an employment contract or collective agreement.DefinitionsIn this section, employee includes an independent contractor and employer has a corresponding meaning.2000, c. 5, s. 27.1; 2015, c. 32, s. 23Offence and punishmentEvery organization that knowingly contravenes subsection 8(8), section 10.1 or subsection 10.3(1) or 27.1(1) or that obstructs the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit is guilty ofan offence punishable on summary conviction and liable to a fine not exceeding $10,000; oran indictable offence and liable to a fine not exceeding $100,000.2000, c. 5, s. 28; 2015, c. 32, s. 24Review of Part by parliamentary committeeThe administration of this Part shall, every five years after this Part comes into force, be reviewed by the committee of the House of Commons, or of both Houses of Parliament, that may be designated or established by Parliament for that purpose.[Note: Part 1 in force January 1, 2001, see SI/2000-29.]Review and reportThe committee shall undertake a review of the provisions and operation of this Part and shall, within a year after the review is undertaken or within any further period that the House of Commons may authorize, submit a report to Parliament that includes a statement of any changes to this Part or its administration that the committee recommends.Transitional ProvisionsApplicationThis Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.ApplicationThis Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.Expiry dateSubsection (1) ceases to have effect three years after the day on which this section comes into force.[Note: Section 30 in force January 1, 2001, see SI/2000-29.]Expiry dateSubsection (1.1) ceases to have effect one year after the day on which this section comes into force.[Note: Section 30 in force January 1, 2001, see SI/2000-29.]Electronic DocumentsInterpretationDefinitionsThe definitions in this subsection apply in this Part.data means representations of information or concepts, in any form. (données)electronic document means data that is recorded or stored on any medium in or by a computer system or other similar device and that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. (document électronique)electronic signature means a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document. (signature électronique)federal law means an Act of Parliament or an instrument, regardless of its name, issued, made or established under an Act of Parliament or a prerogative of the Crown, other than an instrument issued, made or established under the Yukon Act, the Northwest Territories Act or the Nunavut Act. (texte législatif)responsible authority, in respect of a provision of a federal law, meansif the federal law is an Act of Parliament, the minister responsible for that provision;if the federal law is an instrument issued, made or established under an Act of Parliament or a prerogative of the Crown, the person or body who issued, made or established the instrument; ordespite paragraph (a) or (b), the person or body designated by the Governor in Council under subsection (2). (autorité responsable)secure electronic signature means an electronic signature that results from the application of a technology or process prescribed by regulations made under subsection 48(1). (signature électronique sécurisée)DesignationThe Governor in Council may, by order, for the purposes of this Part, designate any person, including any member of the Queen’s Privy Council for Canada, or body to be the responsible authority in respect of a provision of a federal law if the Governor in Council is of the opinion that it is appropriate to do so in the circumstances.PurposePurposeThe purpose of this Part is to provide for the use of electronic alternatives in the manner provided for in this Part where federal laws contemplate the use of paper to record or communicate information or transactions.Electronic AlternativesCollection, storage, etc.A minister of the Crown and any department, branch, office, board, agency, commission, corporation or body for the administration of affairs of which a minister of the Crown is accountable to the Parliament of Canada may use electronic means to create, collect, receive, store, transfer, distribute, publish or otherwise deal with documents or information whenever a federal law does not specify the manner of doing so.Electronic paymentA payment that is required to be made to the Government of Canada may be made in electronic form in any manner specified by the Receiver General.Electronic version of statutory formIf a provision of an Act of Parliament establishes a form, the responsible authority in respect of that provision may make regulations respecting an electronic form that is substantially the same as the form established in the provision, and the electronic form may be used for the same purposes as the form established in the provision.Statutory manner of filing documentsIf a non-electronic manner of filing a document is set out in a provision of an Act of Parliament, the responsible authority in respect of that provision may make regulations respecting the filing of an electronic version of the document, and an electronic version of the document filed in accordance with those regulations is to be considered as a document filed in accordance with the provision.Statutory manner of submitting informationIf a non-electronic manner of submitting information is set out in a provision of an Act of Parliament, the responsible authority in respect of that provision may make regulations respecting the manner of submitting the information using electronic means, and information submitted in accordance with those regulations is to be considered as information submitted in accordance with the provision.Authority to prescribe form, etc.The authority under a federal law to issue, prescribe or in any other manner establish a form, or to establish the manner of filing a document or submitting information, includes the authority to issue, prescribe or establish an electronic form, or to establish an electronic manner of filing the document or submitting information, as the case may be.Meaning of filingIn this section, filing includes all manner of submitting, regardless of how it is designated.Documents as evidence or proofA provision of a federal law that provides that a certificate or other document signed by a minister or public officer is proof of any matter or thing, or is admissible in evidence, is, subject to the federal law, satisfied by an electronic version of the certificate or other document if the electronic version is signed by the minister or public officer with that person’s secure electronic signature.Retention of documentsA requirement under a provision of a federal law to retain a document for a specified period is satisfied, with respect to an electronic document, by the retention of the electronic document ifthe electronic document is retained for the specified period in the format in which it was made, sent or received, or in a format that does not change the information contained in the electronic document that was originally made, sent or received;the information in the electronic document will be readable or perceivable by any person who is entitled to have access to the electronic document or who is authorized to require the production of the electronic document; andif the electronic document was sent or received, any information that identifies the origin and destination of the electronic document and the date and time when it was sent or received is also retained.Notarial actA reference in a provision of a federal law to a document recognized as a notarial act in the province of Quebec is deemed to include an electronic version of the document ifthe electronic version of the document is recognized as a notarial act under the laws of the province of Quebec; andthe federal law or the provision is listed in Schedule 2 or 3.SealsA requirement under a provision of a federal law for a person’s seal is satisfied by a secure electronic signature that identifies the secure electronic signature as the person’s seal if the federal law or the provision is listed in Schedule 2 or 3.Requirements to provide documents or informationA provision of a federal law requiring a person to provide another person with a document or information, other than a provision referred to in any of sections 41 to 47, is satisfied by the provision of the document or information in electronic form ifthe federal law or the provision is listed in Schedule 2 or 3;both persons have agreed to the document or information being provided in electronic form; andthe document or information in electronic form will be under the control of the person to whom it is provided and will be readable or perceivable so as to be usable for subsequent reference.Writing requirementsA requirement under a provision of a federal law for a document to be in writing is satisfied by an electronic document ifthe federal law or the provision is listed in Schedule 2 or 3; andthe regulations respecting the application of this section to the provision have been complied with.Original documentsA requirement under a provision of a federal law for a document to be in its original form is satisfied by an electronic document ifthe federal law or the provision is listed in Schedule 2 or 3;the electronic document contains a secure electronic signature that was added when the electronic document was first generated in its final form and that can be used to verify that the electronic document has not been changed since that time; andthe regulations respecting the application of this section to the provision have been complied with.SignaturesSubject to sections 44 to 46, a requirement under a provision of a federal law for a signature is satisfied by an electronic signature ifthe federal law or the provision is listed in Schedule 2 or 3; andthe regulations respecting the application of this section to the provision have been complied with.Statements made under oathA statement required to be made under oath or solemn affirmation under a provision of a federal law may be made in electronic form ifthe person who makes the statement signs it with that person’s secure electronic signature;the person before whom the statement was made, and who is authorized to take statements under oath or solemn affirmation, signs it with that person’s secure electronic signature;the federal law or the provision is listed in Schedule 2 or 3; andthe regulations respecting the application of this section to the provision have been complied with.Statements declaring truth, etc.A statement required to be made under a provision of a federal law declaring or certifying that any information given by a person making the statement is true, accurate or complete may be made in electronic form ifthe person signs it with that person’s secure electronic signature;the federal law or the provision is listed in Schedule 2 or 3; andthe regulations respecting the application of this section to the provision have been complied with.Witnessed signaturesA requirement under a provision of a federal law for a signature to be witnessed is satisfied with respect to an electronic document ifeach signatory and each witness signs the electronic document with their secure electronic signature;the federal law or the provision is listed in Schedule 2 or 3; andthe regulations respecting the application of this section to the provision have been complied with.CopiesA requirement under a provision of a federal law for one or more copies of a document to be submitted is satisfied by the submission of an electronic document ifthe federal law or the provision is listed in Schedule 2 or 3; andthe regulations respecting the application of this section to the provision have been complied with.Regulations and OrdersRegulationsSubject to subsection (2), the Governor in Council may, on the recommendation of the Treasury Board, make regulations prescribing technologies or processes for the purpose of the definition secure electronic signature in subsection 31(1).CharacteristicsThe Governor in Council may prescribe a technology or process only if the Governor in Council is satisfied that it can be proved thatthe electronic signature resulting from the use by a person of the technology or process is unique to the person;the use of the technology or process by a person to incorporate, attach or associate the person’s electronic signature to an electronic document is under the sole control of the person;the technology or process can be used to identify the person using the technology or process; andthe electronic signature can be linked with an electronic document in such a way that it can be used to determine whether the electronic document has been changed since the electronic signature was incorporated in, attached to or associated with the electronic document.Effect of amendment or repealAn amendment to or repeal of any provision of a regulation made under subsection (1) that has the effect of removing a prescribed technology or process from the regulation does not, by itself, affect the validity of any electronic signature resulting from the use of that technology or process while it was prescribed.Amendment of schedulesFor the purposes of sections 38 to 47, the responsible authority in respect of a provision of a federal law may, by order, amend Schedule 2 or 3 by adding or striking out a reference to that federal law or provision.RegulationsFor the purposes of sections 41 to 47, the responsible authority in respect of a provision of a federal law may make regulations respecting the application of those sections to the provision.ContentsWithout restricting the generality of subsection (1), the regulations that may be made may include rules respecting any of the following:the technology or process that must be used to make or send an electronic document;the format of an electronic document;the place where an electronic document is to be made or sent;the time and circumstances when an electronic document is to be considered to be sent or received and the place where it is considered to have been sent or received;the technology or process to be used to make or verify an electronic signature and the manner in which it is to be used; andany matter necessary for the purposes of the application of sections 41 to 47.Minimum rulesWithout restricting the generality of subsection (1), if a provision referred to in any of sections 41 to 47 requires a person to provide another person with a document or information, the rules set out in the regulations respecting the application of that section to the provision may be thatboth persons have agreed to the document or information being provided in electronic form; andthe document or information in electronic form will be under the control of the person to whom it is provided and will be readable or perceivable so as to be usable for subsequent reference.Incorporation by referenceRegulations may incorporate by reference the standards or specifications of any government, person or organization, either as they read at a fixed time or as they are amended from time to time.Effect of striking out listed provisionThe striking out of a reference to a federal law or provision in Schedule 2 or 3 does not affect the validity of anything done in compliance with any regulation made under section 50 that relates to that federal law or provision while it was listed in that Schedule.Amendments to the Canada Evidence Act[Amendments]Amendments to the Statutory Instruments Act[Amendments]Amendments to the Statute Revision Act[Amendments]Coming into ForceComing into forceParts 1 to 5 or any provision of those Parts come into force on a day or days to be fixed by order of the Governor in Council made on the recommendation ofin the case of Parts 1 and 2 or any provision of those Parts, the Minister of Industry; andin the case of Parts 3 to 5 or any provision of those Parts, the Minister of Justice.[Note: Parts 2, 3 and 4 in force May 1, 2000; Part 1 in force January 1, 2001, see SI/2000-29; Part 5 in force June 1, 2009, see SI/2009-42.](Section 5)Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-964.1 Principle 1 — AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.4.1.1Accountability for the organization’s compliance with the principles rests with the designated individual(s), even though other individuals within the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).4.1.2The identity of the individual(s) designated by the organization to oversee the organization’s compliance with the principles shall be made known upon request.4.1.3An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.4.1.4Organizations shall implement policies and practices to give effect to the principles, includingimplementing procedures to protect personal information;establishing procedures to receive and respond to complaints and inquiries;training staff and communicating to staff information about the organization’s policies and practices; anddeveloping information to explain the organization’s policies and procedures.4.2 Principle 2 — Identifying PurposesThe purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.4.2.1The organization shall document the purposes for which personal information is collected in order to comply with the Openness principle (Clause 4.8) and the Individual Access principle (Clause 4.9).4.2.2Identifying the purposes for which personal information is collected at or before the time of collection allows organizations to determine the information they need to collect to fulfil these purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary for the purposes that have been identified.4.2.3The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.4.2.4When personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. For an elaboration on consent, please refer to the Consent principle (Clause 4.3).4.2.5Persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.4.2.6This principle is linked closely to the Limiting Collection principle (Clause 4.4) and the Limiting Use, Disclosure, and Retention principle (Clause 4.5).4.3 Principle 3 - ConsentThe knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would be expected to obtain consent before disclosing personal information.4.3.1Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, an organization will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when an organization wants to use information for a purpose not previously identified).4.3.2The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.4.3.3An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.4.3.4The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Although some information (for example, medical records and income records) is almost always considered to be sensitive, any information can be sensitive, depending on the context. For example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information. However, the names and addresses of subscribers to some special-interest magazines might be considered sensitive.4.3.5In obtaining consent, the reasonable expectations of the individual are also relevant. For example, an individual buying a subscription to a magazine should reasonably expect that the organization, in addition to using the individual’s name and address for mailing and billing purposes, would also contact the person to solicit the renewal of the subscription. In this case, the organization can assume that the individual’s request constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to a health-care professional would be given to a company selling health-care products, unless consent were obtained. Consent shall not be obtained through deception.4.3.6The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).4.3.7Individuals can give consent in many ways. For example:an application form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses;a checkoff box may be used to allow individuals to request that their names and addresses not be given to other organizations. Individuals who do not check the box are assumed to consent to the transfer of this information to third parties;consent may be given orally when information is collected over the telephone; orconsent may be given at the time that individuals use a product or service.4.3.8An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.4.4 Principle 4 — Limiting CollectionThe collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.4.4.1Organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Organizations shall specify the type of information collected as part of their information-handling policies and practices, in accordance with the Openness principle (Clause 4.8).4.4.2The requirement that personal information be collected by fair and lawful means is intended to prevent organizations from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.4.4.3This principle is linked closely to the Identifying Purposes principle (Clause 4.2) and the Consent principle (Clause 4.3).4.5 Principle 5 —Limiting Use, Disclosure, and RetentionPersonal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.4.5.1Organizations using personal information for a new purpose shall document this purpose (see Clause 4.2.1).4.5.2Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.4.5.3Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.4.5.4This principle is closely linked to the Consent principle (Clause 4.3), the Identifying Purposes principle (Clause 4.2), and the Individual Access principle (Clause 4.9).4.6 Principle 6 — AccuracyPersonal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.4.6.1The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.4.6.2An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.4.6.3Personal information that is used on an ongoing basis, including information that is disclosed to third parties, should generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.4.7 Principle 7 — SafeguardsPersonal information shall be protected by security safeguards appropriate to the sensitivity of the information.4.7.1The security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Organizations shall protect personal information regardless of the format in which it is held.4.7.2The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. More sensitive information should be safeguarded by a higher level of protection. The concept of sensitivity is discussed in Clause 4.3.4.4.7.3The methods of protection should includephysical measures, for example, locked filing cabinets and restricted access to offices;organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; andtechnological measures, for example, the use of passwords and encryption.4.7.4Organizations shall make their employees aware of the importance of maintaining the confidentiality of personal information.4.7.5Care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (see Clause 4.5.3).4.8 Principle 8 — OpennessAn organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.4.8.1Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.4.8.2The information made available shall includethe name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;the means of gaining access to personal information held by the organization;a description of the type of personal information held by the organization, including a general account of its use;a copy of any brochures or other information that explain the organization’s policies, standards, or codes; andwhat personal information is made available to related organizations (e.g., subsidiaries).4.8.3An organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.4.9 Principle 9 — Individual AccessUpon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.Note: In certain situations, an organization may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement should be limited and specific. The reasons for denying access should be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.4.9.1Upon request, an organization shall inform an individual whether or not the organization holds personal information about the individual. Organizations are encouraged to indicate the source of this information. The organization shall allow the individual access to this information. However, the organization may choose to make sensitive medical information available through a medical practitioner. In addition, the organization shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.4.9.2An individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use, and disclosure of personal information. The information provided shall only be used for this purpose.4.9.3In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.4.9.4An organization shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.4.9.5When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization shall amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.4.9.6When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge shall be recorded by the organization. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.4.10 Principle 10 — Challenging ComplianceAn individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.4.10.1The individual accountable for an organization’s compliance is discussed in Clause 4.1.1.4.10.2Organizations shall put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.4.10.3Organizations shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist. For example, some regulatory bodies accept complaints about the personal-information handling practices of the companies they regulate.4.10.4An organization shall investigate all complaints. If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.(Sections 38 to 47, 49 and 51)
Acts of ParliamentColumn 1Column 2ItemAct of ParliamentProvisions1Federal Real Property and Federal Immovables ActSections 3, 5 to 7, 11 and 162Canada Labour CodeSubsection 254(1)3Canada Lands Surveys ActSubsection 3(2)
2000, c. 5, Sch. 2; SOR/2004-309, s. 1; SOR/2008-114SOR/2019-84, s. 1(Sections 38 to 47, 49 and 51)
Regulations and Other InstrumentsColumn 1Column 2ItemRegulations or Other InstrumentProvisions1Federal Real Property RegulationsSections 9 and 11 [SOR/2005-407]1Federal Real Property RegulationsSections 9 and 11 [SOR/2004-309, s. 2]
2000, c. 5, Sch. 3; SOR/2004-309, s. 2; SOR/2005-407(Subsection 4(1.1) and paragraph 26(2)(c))
OrganizationsColumn 1Column 2ItemOrganizationPersonal Information1World Anti-Doping AgencyAgence mondiale antidopagePersonal information that the organization collects, uses or discloses in the course of its interprovincial or international activities