Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Canadian privacy laws tend not to be particularly prescriptive with respect to permitted purposes for the collection, use and disclosure of personal information.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Each of the Canadian privacy laws contains a general obligation for organisations to retain personal information for only as long as is necessary to fulfil the purposes for which it was collected, subject to a general standard of reasonableness and any external legal requirements. Generally, any personal information that is the subject of a request for access, a complaint or an investigation must be retained as long as necessary to allow the affected individual to exhaust any recourse that he or she may have with respect to the request, complaint or investigation in question.

A variety of laws that do not specifically relate to privacy also impose, either expressly or by implication, specific retention periods for various types of record that may contain personal information.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes, in all cases, individuals have a general right of access to data about them that is held by a private organisation, healthcare custodian or government institution, subject to certain exceptions.

Do individuals have a right to request deletion of their data?

Generally speaking, individuals have the right to withdraw consent for the use or disclosure of their personal information, subject to certain legal or contractual restrictions.

Consent obligations

Is consent required before processing personal data?

Under private sector laws, consent is required before any collection, use or disclosure of personal information, although the laws provide for both implied and express forms of consent, depending on the inherent sensitivity of the personal information in question. In health sector privacy laws, consent is generally not required for use of personal health information within the ‘circle of care’, however, explicit consent is required for certain additional uses and disclosure. Consent is not required for most uses of personal information by governments, although consent is required in some jurisdictions for certain extraordinary uses and disclosures, such as cross-border transfers.

If consent is not provided, are there other circumstances in which data processing is permitted?

Private sector privacy laws set out a limited range of circumstances where consent is not required for the collection, use or disclosure of personal information. Examples of such exceptions include, among others, circumstances where the processing is:

  • clearly in the interest of the individual and consent cannot be obtained in a timely way;
  • for journalistic, artistic or literary purposes; or
  • required by law.

Health sector privacy laws generally allow for the processing of personal information without consent where necessary for the provision of healthcare services. Similarly, consent is generally not required by governments to process information for the purpose of providing government services.

What information must be provided to individuals when personal data is collected?

Generally speaking, where consent is required, the purposes for which consent is sought must be presented in a manner where the individual in question would understand the nature, purposes and consequences of the collection, use or disclosure of the personal information to which he or she is consenting.

Click here to view the full article.