Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Under the Personal Information Protection and Electronic Documents Act (SC 2000, c 5) (PIPEDA), there are two prerequisites for the collection, storage and processing of personal data:
- The data must be collected, stored or processed for purposes that a reasonable person would consider to be appropriate in the circumstances.
- The organisation must have express or implied consent.
The appropriateness criterion ensures that the collection of personal data is rationally connected to the stated purpose for collection and is not overbroad or contrary to societal values. The Office of the Privacy Commissioner of Canada (OPC) uses a four-part test to consider appropriateness. This test requires the organisation to show that:
- the collection, storage or processing is related to a specific need of the organisation;
- the collection, storage or processing is likely to be effective in meeting a need;
- the loss of privacy is proportional to the benefit gained; and
- there is no less privacy-invasive way of meeting the need.
The private sector legislation of Alberta and British Columbia both contain a similar concept of appropriateness. Public sector legislation limits collection, storage and processing to purposes for which there is statutory authority and other consistent purposes.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Canadian privacy legislation requires organisations to retain personal data only as long as necessary to fulfil the purpose for which it was collected. PIPEDA recommends that organisations develop retention guidelines, which should include minimum and maximum periods as well as procedures for the safe and secure destruction of data.
Personal data that has been used to make a decision about an individual must be retained long enough to allow the individual to access the information after the decision has been made. Under the British Columbia Personal Information Protection Act, an organisation must retain that information for at least one year if it uses an individual's personal data to make a decision that directly affects the individual.
Organisations may also be subject to data retention periods under other legislative requirements, such as tax, employment standards, occupational health and safety and human rights legislation. These statutes may require that certain types of data be retained for minimum periods.
Do individuals have a right to access personal information about them that is held by an organisation?
Under private sector, public sector and sectoral personal data protection legislation, individuals have a right to access the information held about them. The maximum period that organisations have to respond varies. Under PIPEDA, responses must be made within 30 days. This timeline can be extended in certain cases.
All access provisions contain exceptions. For example, under PIPEDA, access may be refused if:
- the disclosure would include the data of another individual that cannot be severed from the disclosure;
- the personal data is protected by solicitor-client privilege (or in Quebec by professional secrecy of lawyers and notaries);
- providing access would reveal confidential commercial information;
- providing access could reasonably be expected to threaten the life or security of another individual;
- the data was collected without the individual's consent in order not to compromise the availability or the accuracy of the information and the collection was reasonable for the purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; and
- the data was generated in the course of a formal dispute resolution process.
Do individuals have a right to request deletion of their data?
Canadian legislation does not contain an express right to erasure. However, an individual may withdraw consent to the processing of his or her personal data under Canadian private sector legislation. If there is no further purpose for which the personal data can be lawfully retained, this may involve a requirement to delete the personal data. In addition, individuals have a right to correct data under most Canadian privacy laws. The right to correction may also include the right to have incorrect data deleted or noted as being in dispute. The rights are subject to any statutory requirements that may impose retention periods, preventing a request for deletion. Notably, data that has been aggregated or anonymised does not need to be deleted.
Is consent required before processing personal data?
Subject to defined exceptions, personal data may be collected only with an individual’s knowledge and informed consent. The individual must also be notified of the purpose for which his or her personal data is being collected before obtaining consent. The information must be sufficient to enable the individual to make an informed decision. Express or implied consent should be obtained before or at the time of collecting personal data. Express consent is required for sensitive personal data or sensitive uses of personal data. If it is impractical to obtain consent before collection or if consent to additional uses is sought, consent may be obtained after collection but before use.
If consent is not provided, are there other circumstances in which data processing is permitted?
There are numerous situations in which personal data may be collected without consent.
Under PIPEDA and the private sector legislation in British Columbia and Alberta, employers may collect, use and disclose personal data without the consent of the data subject if:
- the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the organisation and the individual; and
- the employer has informed the individual that the personal data will be or may be collected, used or disclosed for these purposes.
In addition, under PIPEDA organisations may collect personal data without the knowledge or consent of the individual for a number of specified purposes connected to important public policy objectives – for example, if:
- the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
- the collection of the data with the knowledge or consent of the individual would compromise the availability or accuracy of the information and such collection is related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;
- the data is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;
- the data was produced by the individual in the course of his or her employment, business or profession and the collection is consistent with the purpose of the information produced;
- the data is collected solely for journalistic, artistic or literary purposes;
- the data is collected in response to a request by a government institution or other lawful authority and such information relates to national security, the defence of Canada or the conduct of international affairs;
- the organisation has reasonable grounds to believe that the information relates to national security, the defence of Canada or the conduct of international affairs; or
- the collection is required by law.
In certain narrowly defined cases, personal data may be collected from public sources without consent. For example, if an individual has consented to his or her data being published in a directory, the information may be collected without his or her consent.
Provincial private sector legislation contains similar provisions. Personal health information protection legislation and public sector legislation also contain exceptions to consent.
What information must be provided to individuals when personal data is collected?
In the private sector, individuals must be given sufficient information to make an informed decision with respect to whether to give consent. This involves providing an individual with information on what personal data is collected and how it will be used and disclosed and the consequences of providing or refusing consent if those consequences are not obvious. Organisations must also make available information on their policies and practices relating to personal data. Under PIPEDA, the following information is expected to be available from organisations:
- the name or title and address of the privacy officer or equivalent;
- instructions on how to access personal data held by the organisation;
- a description of the types of personal data collected and the uses made of that personal data;
- an explanation of the organisation’s policies, standards or codes; and
- a description of what personal data is shared with related organisations (eg, subsidiaries).
In Alberta, if the organisation uses a third party outside Canada to collect personal data, or directly or indirectly transfers personal data to a third party outside Canada, the data controller must, before or at the time of collecting or transferring, notify the data subject orally or in writing of:
- the way in which the data subject may obtain access to written data about the organisation's policies and practices with respect to service providers outside Canada; and
- the name or position name or title of a person who can answer on behalf of the organisation the data subject's questions about the collection, use, disclosure or storage of personal data by service providers outside Canada for or on behalf of the organisation.
These are also best practices to fulfil transparency requirements in other jurisdictions in Canada.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Organisations are responsible for the personal data in their control, including information that has been transferred to third parties, whether within the same jurisdiction or outside Canada’s jurisdiction. Organisations must ensure that a third-party processor is handling the information in a legal and secure manner. Canadian data controllers must do so by contractual or other means with third parties to require third parties to provide a comparable level of protection as the Canadian data controller. Further, the third party must process the personal data only for or on behalf of the data controller (the same purpose disclosed to the data subject) and not process it for any other purposes.
Individuals must be notified that their personal data may be disclosed to a third party to process on or behalf of the data controller. This is generally disclosed to the data subject through the organisation’s privacy notices.
Are there restrictions on the geographic transfer of data?
Personal data collected by an organisation subject to the public sector privacy legislation in British Columbia or Nova Scotia may not transfer that personal data outside Canada or otherwise allow access to that personal data from outside Canada, subject to certain exceptions. A similar restriction regarding personal health information applies in New Brunswick. Canadian tax legislation also requires that data remain in Canada (although copies may be stored elsewhere). Similar requirements are included in other regulations. Therefore, an organisation transferring data or using a cloud-based service should seek legal advice.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Data owners must ensure that the third-party processor processes the personal data only for or on behalf of the data controller (the same purpose disclosed to the data subject) and not process it for any other purposes. In addition, data owners must ensure that a third-party processor is handling the information in a legal and secure manner.
Click here to view the full article.