|
1st Session, 36th Parliament, 46-47-48 Elizabeth II, 1997-98-99
|
|
|
The House of Commons of Canada
|
|
|
BILL C-54 |
|
|
An Act to support and promote electronic
commerce by protecting personal
information that is collected, used or
disclosed in certain circumstances, by
providing for the use of electronic means
to communicate or record information or
transactions and by amending the
Canada Evidence Act, the Statutory
Instruments Act and the Statute Revision
Act
|
|
|
|
|
|
SHORT TITLE |
|
Short title
|
1. This Act may be cited as the Personal
Information Protection and Electronic
Documents Act.
|
|
|
PART 1 |
|
|
PROTECTION OF PERSONAL INFORMATION IN THE PRIVATE SECTOR |
|
|
Interpretation |
|
Definitions
|
2. (1) The definitions in this subsection
apply in this Part.
|
|
``alter- native format'' « support de substitu- tion »
|
``alternative format'', with respect to personal
information, means a format that allows a
person with a sensory disability to read or
listen to the personal information.
|
|
``commer- cial activity'' « activité commer- ciale »
|
``commercial activity'' means any particular
transaction, act or conduct or any regular
course of conduct that is of a commercial
character.
|
|
``Commission
er'' « commis- saire »
|
``Commissioner'' means the Privacy
Commissioner appointed under section 53
of the Privacy Act.
|
|
``Court'' « Cour »
|
``Court'' means the Federal Court-Trial
Division.
|
|
``federal
work,
undertaking
or business'' « entreprises fédérales »
|
``federal work, undertaking or business''
means any work, undertaking or business
that is within the legislative authority of
Parliament. It includes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
``organiza- tion'' « organisa- tion »
|
``organization'' includes an association, a
partnership, a person and a trade union.
|
|
``personal
information'' « renseigne- ment personnel »
|
``personal information'' means information
about an identifiable individual, but does
not include the name, title or business
address or telephone number of an
employee of an organization .
|
|
``record'' « document »
|
``record'' includes any correspondence,
memorandum, book, plan, map, drawing,
diagram, pictorial or graphic work,
photograph, film, microform, sound
recording, videotape, machine-readable
record and any other documentary material,
regardless of physical form or
characteristics, and any copy of any of those
things.
|
|
Notes in
Schedule 1
|
(2) In this Part, a reference to clause 4.3 or
4.9 of Schedule 1 does not include a reference
to the note that accompanies that clause.
|
|
|
Purpose |
|
Purpose
|
3. The purpose of this Part is to establish , in
an era in which technology increasingly
facilitates the circulation and exchange of
information, rules to govern the collection,
use and disclosure of personal information in
a manner that recognizes the right of privacy
of individuals with respect to their personal
information and the need of organizations to
collect, use or disclose personal information
for purposes that a reasonable person would
consider appropriate in the circumstances.
|
|
|
Application |
|
Application
|
4. (1) This Part applies to every
organization in respect of personal
information that
|
|
|
|
|
|
|
|
Limit
|
(2) This Part does not apply to
|
|
|
|
|
|
|
|
|
|
|
Other Acts
|
(3) Every provision of this Part applies
despite any other Act of Parliament, unless
that Act expressly declares that it operates
despite that provision.
|
|
|
DIVISION 1 |
|
|
PROTECTION OF PERSONAL INFORMATION |
|
Compliance
with
obligations
|
5. (1) Subject to sections 6 to 9, every
organization shall comply with the obligations
set out in Schedule 1.
|
|
Meaning of
``should''
|
(2) The word ``should'', when used in
Schedule 1, indicates a recommendation and
does not impose an obligation.
|
|
Appropriate
purposes
|
(3) An organization may collect, use or
disclose personal information only for
purposes that a reasonable person would
consider are appropriate in the circumstances.
|
|
Effect of
designation of
individual
|
6. The designation of an individual under
clause 4.1 of Schedule 1 does not relieve the
organization of the obligation to comply with
the obligations set out in that Schedule.
|
|
Collection
without
knowledge or
consent
|
7. (1) For the purpose of clause 4.3 of
Schedule 1, and despite the note that
accompanies that clause, an organization may
collect personal information without the
knowledge or consent of the individual only if
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use without
knowledge or
consent
|
(2) For the purpose of clause 4.3 of
Schedule 1, and despite the note that
accompanies that clause, an organization may,
without the knowledge or consent of the
individual, use personal information only if
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Disclosure
without
knowledge or
consent
|
(3) For the purpose of clause 4.3 of
Schedule 1, and despite the note that
accompanies that clause, an organization may
disclose personal information without the
knowledge or consent of the individual only if
the disclosure is
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Use without
consent
|
(4) Despite clause 4.5 of Schedule 1, an
organization may use personal information for
purposes other than those for which it was
collected in any of the circumstances set out in
subsection (2).
|
|
Disclosure
without
consent
|
(5) Despite clause 4.5 of Schedule 1, an
organization may disclose personal
information for purposes other than those for
which it was collected in any of the
circumstances set out in paragraphs (3)(a) to
(h.1) .
|
|
Written
request
|
8. (1) A request under clause 4.9 of
Schedule 1 must be made in writing.
|
|
Assistance
|
(2) An organization shall assist any
individual who informs the organization that
they need assistance in preparing a request to
the organization.
|
|
Time limit
|
(3) An organization shall respond to a
request with due diligence and in any case not
later than thirty days after receipt of the
request.
|
|
Extension of
time limit
|
(4) An organization may extend the time
limit
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In either case, the organization shall, no later
than thirty days after the date of the request,
send a notice of extension to the individual,
advising them of the new time limit, the
reasons for extending the time limit and of
their right to make a complaint to the
Commissioner in respect of the extension.
|
|
Deemed
refusal
|
(5) If the organization fails to respond
within the time limit, the organization is
deemed to have refused the request.
|
|
Costs for
responding
|
(6) An organization may respond to an
individual's request at a cost to the individual
only if
|
|
|
|
|
|
|
|
Reasons
|
(7) An organization that responds within the
time limit and refuses a request shall inform
the individual in writing of the refusal, setting
out the reasons and any recourse that they may
have under this Part.
|
|
Retention of
information
|
(8) Despite clause 4.5 of Schedule 1, an
organization that has personal information
that is the subject of a request shall retain the
information for as long as is necessary to allow
the individual to exhaust any recourse under
this Part that they may have.
|
|
When access
prohibited
|
9. (1) Despite clause 4.9 of Schedule 1, an
organization shall not give an individual
access to personal information if doing so
would likely reveal personal information
about a third party. However, if the
information about the third party is severable
from the record containing the information
about the individual, the organization shall
sever the information about the third party
before giving the individual access.
|
|
Limit
|
(2) Subsection (1) does not apply if the third
party consents to the access or the individual
needs the information because an individual's
life, health or security is threatened.
|
|
When access
may be
refused
|
(3) Despite the note that accompanies
clause 4.9 of Schedule 1, an organization is not
required to give access to personal
information only if
|
|
|
|
|