The protection of personal information is at the forefront of public policy debate in Canada. Federal and provincial privacy protection legislation has a profound impact on the way virtually all organizations carry on business across the country.
The Canadian Privacy Act is similar to the U.S. federal Privacy Act. It requires all federal departments, agencies and most Crown corporations to have lawful, authorized purposes for the collection of an individual’s personal information. The Act also provides individuals a right of access to personal information being held by government institutions. Companion freedom of information legislation, the Access to Information Act, was enacted at the same time as the Privacy Act. Most of Canada’s provincial governments have similar legislation covering both access to information and the protection of privacy in provincial and municipal operations.
Canadian businesses and private sector organizations are subject to federal or provincial privacy protection legislation governing both customer and (with some exceptions) employee information. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally-regulated private sector organizations (i.e., organizations in the transportation, communications, broadcasting, federal banking and offshore sectors, as well as in Canada’s three territories), and to other private sector organizations in provinces that have not enacted “substantially similar” legislation. PIPEDA applies to personal and health information that is collected, used or disclosed in the course of commercial activity that takes place across the Canadian border, between provinces and within a Canadian province that has not enacted “substantially similar” legislation (see “Health Sector” discussion below).
Alberta, British Columbia and Québec each have their own private sector privacy legislation which has been recognized as “substantially similar.” PIPEDA does not apply to businesses in relation to their employees, unless the businesses are federal works, undertakings or businesses. However, privacy legislation in Québec, British Columbia and Alberta does apply to employee and customer information. PIPEDA and provincial privacy statutes also do not apply to the journalistic, artistic or personal collection, use or disclosure of personal information.
Saskatchewan, Manitoba, Alberta and Ontario have each passed legislation to deal specifically with personal health information by public and private sector health care providers and other health care organizations. These health information privacy statutes apply, directly or indirectly, to agents who act for health care custodians, as well as to service providers that manage information, such as data storage and system management providers. The statutes generally require custodians to notify and obtain express consent from patients for all collection, use or disclosure of personal health information.
Each statute contains provisions entitling patients to access their personal health information in the custody or control of a custodian (subject to limited exceptions), and limits access to (and the use of) health information within a custodian’s organization. With detailed, limited exceptions, each statute prohibits disclosure for purposes other than those to which a patient has consented.
Only the Ontario Personal Health Information Protection Act 2004 (PHIPA) has been declared to be substantially similar to PIPEDA. This means that PIPEDA only applies in Ontario in relation to extra-provincial and international disclosures of personal health information, and that both PIPEDA and the Alberta, Saskatchewan and Manitoba health information statutes may apply to private sector organizations in relation to personal health information in each of those three provinces. A combination of the public sector privacy, health regulatory and private sector privacy legislation will apply in each of the other provinces.
Federal Privacy Legislation
PIPEDA requires compliance with the 10 “fair information management principles” of the Model Code for the Protection of Personal Information (Model Code) developed by the Canadian Standards Association. The Model Code requires organizations to notify individuals of the purposes of, and obtain their consent for, the collection, use or disclosure of their personal information. (PIPEDA sets out limited exceptions to this notification requirement.)
Outsourcing and Service Providers
PIPEDA allocates ongoing responsibility for personal information that is collected, processed or disclosed to the organization contracting for services. While this puts service providers – even those providing services from outside the country – in the position of ensuring information is handled or processed in compliance with PIPEDA, the contracting organization is responsible for obtaining consent from individuals.
The Privacy Commissioner of Canada (PCC) has oversight of both the federal Privacy Act and PIPEDA. The PCC may audit the privacy practices of organizations suspected of a breach of PIPEDA, and may receive and investigate complaints of non-compliance.
While PCC orders are not binding, both the PCC and complainants may refer instances of non-compliance to the Federal Court of Canada, which has wide remedial authority, including the power to award damages for a breach of PIPEDA’s requirements. Since PIPEDA came into force on January 1, 2001 the PCC has made numerous findings with significant impact on current business practices including:
- standards for a valid opt-out consent for receipt of marketing materials;
- requirements for (and limits on) affiliate sharing of customer information;
- quality control taping of customer telephone calls;
- security matters involving voluminous misdirected faxes and other data security breaches;
- video surveillance and the use of new technologies such as voice recognition security devices; and
- notification to customers of data storage or processing outside Canada.
Provincial Privacy Legislation
B.C.’s Personal Information Protection Act (B.C. PIPA) has been recognized as being “substantially similar” to PIPEDA. It applies to the private sector in British Columbia (both for profit and non-profit organizations), and covers customer, non-customer and employee information. PIPEDA continues to apply to federal works, undertakings or businesses operating in the province, and to the collection, use and disclosure of personal information outside the province or internationally. The British Columbia Information and Privacy Commissioner, who enforces B.C. PIPA, can issue binding orders requiring compliance. Individuals can launch court proceedings claiming damages for breach of the B.C. PIPA.
Alberta’s Personal Information Protection Act (Alta. PIPA) also has been deemed to be “substantially similar” to PIPEDA. It applies to the private sector in Alberta in respect of all commercial activity, with only limited application to non-profit organizations. Alta. PIPA covers the personal information of customers, non-customers and employees of an organization. It also applies to federal works, undertakings or businesses operating in Alberta and to the collection, use and disclosure of personal information outside of Alberta or internationally. The Alberta Information and Privacy Commissioner can issue binding orders requiring compliance. Individuals can launch court proceedings claiming damages for breach of the Alta. PIPA.
Saskatchewan, Manitoba and Ontario
As Saskatchewan, Manitoba and Ontario have not introduced general (non-health) privacy legislation covering the private sector, PIPEDA applies to the collection, use and disclosure of general private sector personal information in those three provinces.
Québec’s An Act Respecting the Protection of Personal Information in the Private Sector (QPPIPS) has been declared to be “substantially similar” to PIPEDA. PIPEDA applies to federally regulated businesses in Québec and to the inter-provincial or international collection or disclosure of personal information into or from the province. The Québec Commission d’accès à l’information can issue binding orders requiring compliance with QPPIPS. The Civil Code of Québec also creates liability for breach of the principal requirements of QPPIPS, for which individuals may claim damages in a court action.
Newfoundland, Nova Scotia, Prince Edward Island and New Brunswick have not enacted general private sector provincial privacy legislation; therefore, PIPEDA applies to the collection, use and disclosure of personal information by the private sector in these provinces.
Yukon, Nunavut and Northwest Territories
None of Canada’s three territories has introduced or enacted privacy legislation applicable to the private sector. PIPEDA applies to businesses in the territories with respect to their customers, non-customers and employees.
Cross-border Information Flows
PIPEDA now applies when personal information is disclosed across a provincial border in the course of commercial activity. Privacy legislation in Québec and several other provinces also make organizations responsible for compliance when they use or disclose personal information outside the originating province. In addition, PIPEDA will apply in most situations where an organization in Canada receives or transmits personal information from or to a destination outside Canada.
Companies subject to PIPEDA would likely attract enforcement measures if they used information collected in Canada in a manner contrary to PIPEDA when outside Canada. PIPEDA also applies to the personal information of non-residents if an organization in Canada that is subject to PIPEDA collects, uses or discloses such information. The federal government is in ongoing discussions with its North American counterparts to address trans-border data flow through the Security and Prosperity Partnership with Mexico and the United States.
Data Exchange with E.U. Members
The European Union’s (E.U.) “safe harbour” rule requires organizations to ensure that any jurisdiction to which they’re sending personal data about employees, customers, etc. has enacted legislation that provides “adequate” privacy protection. The E.U.’s approval of PIPEDA as providing “adequate protection” to personal data transferred from E.U. member states enables the exchange of personal data between E.U. member states and Canada (where PIPEDA applies) without the necessity of a safe harbour agreement.
Responses to USA PATRIOT Act
In 2004, the province of British Columbia amended its public sector privacy legislation, the Freedom of Information and Protection of Privacy Act (FOIPPA), in response to public concerns about threats to privacy arising under the USA PATRIOT Act. The amendments place tough restrictions on the storing, accessing and disclosing of B.C. public sector data by service providers from locations outside Canada. Similar restrictions apply in the public sector privacy statutes of Alberta and Nova Scotia.
In addition, the Canadian federal government has adopted a risk assessment approach to determine the level of trans-border personal data processing or storage permissible by service providers to federal public bodies. In March 2007, the Office of the Chief Information and Privacy Officer of Ontario issued guidelines requiring government ministries and agencies to undertake an internal risk assessment to mitigate the risk of information breaches, and to address privacy and security risks in service contracts. Similar policies have been issued in most other Canadian provinces. These amendments and policies will significantly impact how service providers store or access personal information in the course of providing services to public sector bodies in Canada.
Data Breach Notification
In June 2008, the federal government released a proposed model for data breach notification that would require businesses that collect personal information about individuals to notify them (and, potentially, other organizations) of a data breach where it is reasonable to consider there is a substantial risk of significant harm to individuals affected by the breach. Notification would be required as soon as possible after the detection, confirmation and assessment of the scope and extent of the breach. Thereafter, businesses would also need to report any material breach to the PCC as soon as reasonably possible. The model calls for notification (where necessary) in a clear and conspicuous manner, using a direct means of communication and including sufficient information for a person to understand the significance of the breach and to take steps to mitigate any resulting harm.