The Office of the Privacy Commissioner of Canada oversees compliance with two important pieces of legislation:
- The Privacy Act: This Act relates to the handling practices of federal government departments and agencies with regards to personal information. Individuals can access and correct personal information that the government of Canada holds about them under this legislation. This Act also relates to how the government uses, collects, or discloses personal information when providing services (such as employment insurance or old age pensions). It only applies to federal government institutions that are listed in the Privacy Act Schedule of Institutions.
- The Personal Information Protection and Electronic Documents Act (PIPEDA): This is the federal private-sector privacy legislation.
Provincial privacy laws and PIPEDA
Privacy legislation in various provinces that have been deemed “substantially similar” to PIPEDA will apply in that province instead. Alberta, Quebec and British Columbia have substantially similar privacy legislation to PIPEDA generally, and Ontario, New Brunswick, and Newfoundland and Labrador have substantially similar health-specific privacy legislation. The replacement of PIPEDA by provincial legislation only applies when an organization wholly operates in the province, and is not operating nationally or across borders. Several other sector-specific privacy laws exist that deal with the protection of personal information, such as the Bank Act.
PIPEDA relates to how organizations collect, use, or disclose personal information during commercial activities in Canada (not any other activity). This means that the Act usually does not apply to charities, not-for-profits, and political parties (unless they are engaged in commercial activities).
Digital Privacy Act
Bill S-4, The Digital Privacy Act, introduced amendments to PIPEDA in June 2015, but didn’t come into force in full. It is anticipated that some of the clauses in The Digital Privacy Act will do so in July 2017. Some important highlights include:
- Reporting to the Privacy Commissioner: An organization must report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual (Section 10.1(1)).
- Notification to an individual: An organization must notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual (Section 10.1(3)).
- Time to give notification: The notification shall be given as soon as feasible after the organization determines that the breach has occurred (Section 10.1(6)).
- “Significant harm”: The definition of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property (Section 10.1(7)).
- The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include:
- (a) the sensitivity of the personal information involved in the breach;
- (b) the probability that the personal information has been, is being or will be misused; and
- (c) any other prescribed factor (section 10.1(8)).
- Notification to organizations: An organization that notifies an individual of a breach must also notify any third party (any other organization, a government institution or a part of a government institution) that the organization experiencing the breach believes is in a position to reduce the risk or mitigate the risk of harm (Section 10.2(1)).
- Records must be kept regarding every breach of security safeguard that involve personal information under an organization’s control (Section 10.3(1)) and, upon request, the Commissioner must be provided access to, or a copy of, a record (Section 10.3(2)).