Bill C-29
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
C-29
Third Session, Fortieth Parliament,
59 Elizabeth II, 2010
HOUSE OF COMMONS OF CANADA
BILL C-29
An Act to amend the Personal Information Protection and Electronic Documents Act
first reading, May 25, 2010
MINISTER OF INDUSTRY
90544
SUMMARY
This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,
(a) exclude, in certain circumstances, business contact information from the application of Part 1 of that Act;
(b) specify the elements of valid consent for the collection, use or disclosure of personal information;
(c) permit the disclosure of personal information without the knowledge or consent of the individual for the purposes of
(i) identifying an injured, ill or deceased individual and communicating with their next of kin,
(ii) performing police services,
(iii) preventing, detecting or suppressing fraud, or
(iv) protecting victims of financial abuse;
(d) clarify the meaning of lawful authority for the purpose of disclosures to government institutions of personal information without the knowledge or consent of the individual;
(e) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of the individual, personal information
(i) contained in witness statements related to insurance claims, or
(ii) produced by the individual in the course of their employment, business or profession;
(f) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of the individual, personal information related to prospective or completed business transactions;
(g) permit federal works, undertakings and businesses to collect, use and disclose personal information without the knowledge or consent of the individual to establish, manage or terminate employment relationships;
(h) provide a framework for organizations to notify individuals proactively about disclosures of their personal information made in certain circumstances to government institutions; and
(i) require organizations to report material breaches of security safeguards to the Privacy Commissioner and to notify certain individuals and organizations of breaches that create a real risk of significant harm.
Also available on the Parliament of Canada Web Site at the following address:
http://www.parl.gc.ca
http://www.parl.gc.ca
3rd Session, 40th Parliament,
59 Elizabeth II, 2010
house of commons of canada
BILL C-29
An Act to amend the Personal Information Protection and Electronic Documents Act
Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:
SHORT TITLE
Short title
1. This Act may be cited as the Safeguarding Canadians’ Personal Information Act.
2000, c. 5
PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT
2. (1) The definition “personal information” in subsection 2(1) of the Personal Information Protection and Electronic Documents Act is replaced by the following:
“personal information”
« renseignement personnel »
« renseignement personnel »
“personal information” means information about an identifiable individual.
(2) Paragraph (g) of the definition “federal work, undertaking or business” in subsection 2(1) of the Act is replaced by the following:
(g) a bank or an authorized foreign bank as defined in section 2 of the Bank Act;
(3) Subsection 2(1) of the Act is amended by adding the following in alphabetical order:
“breach of security safeguards”
« atteinte aux mesures de sécurité »
« atteinte aux mesures de sécurité »
“breach of security safeguards” means the loss of, unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s security safeguards that are referred to in clauses 4.7 to 4.7.5 of Schedule 1 or from a failure to establish those safeguards.
“business contact information”
« coordonnées d’affaires »
« coordonnées d’affaires »
“business contact information” means an individual’s name, position name or title, work address, work telephone number, work facsimile number, work electronic mail address and any similar information about the individual.
“business transaction”
« transaction commerciale »
« transaction commerciale »
“business transaction” includes
(a) the purchase, sale or other acquisition or disposition of an organization or a portion of an organization, or any of its assets;
(b) the merger or amalgamation of two or more organizations;
(c) the making of a loan or provision of other financing to an organization or a portion of an organization;
(d) the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;
(e) the lease or licensing of any of an organization’s assets; and
(f) the arrangement between two or more organizations to conduct a business activ- ity other than the processing of personal information referred to in clause 4.1.3 of Schedule 1.
“prescribed”
Version anglaise seulement
Version anglaise seulement
“prescribed” means prescribed by regulations.
3. Paragraph 4(1)(b) of the Act is replaced by the following:
(b) is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
4. The Act is amended by adding the following after section 4:
Business contact information
4.01 This Part does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.
5. The Act is amended by adding the following after section 6:
Valid consent
6.1 For the purposes of clauses 4.3 to 4.3.8 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure of personal information to which they are consenting.
6. (1) The portion of subsection 7(1) of the French version of the Act before paragraph (a) is replaced by the following:
Collecte à l’insu de l’intéressé ou sans son consentement
7. (1) Pour l’application de l’article 4.3 de l’annexe 1 et malgré la note afférente, l’organisation ne peut recueillir de renseignement personnel à l’insu de l’intéressé ou sans son consentement que dans les cas suivants :
(2) Subsection 7(1) of the Act is amended by adding the following after paragraph (b):
(b.1) the information is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;
(b.2) the information was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;
(3) The portion of subsection 7(2) of the French version of the Act before paragraph (a) is replaced by the following:
Utilisation à l’insu de l’intéressé ou sans son consentement
(2) Pour l’application de l’article 4.3 de l’annexe 1 et malgré la note afférente, l’organisation ne peut utiliser de renseignement personnel à l’insu de l’intéressé ou sans son consentement que dans les cas suivants :
(4) Subsection 7(2) of the Act is amended by adding the following after paragraph (b):
(b.1) the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;
(b.2) the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced;
(5) The portion of subsection 7(3) of the French version of the Act before paragraph (a) is replaced by the following:
Communication à l’insu de l’intéressé ou sans son consentement
(3) Pour l’application de l’article 4.3 de l’annexe 1 et malgré la note afférente, l’organisation ne peut communiquer de renseignement personnel à l’insu de l’intéressé ou sans son consentement que dans les cas suivants :
(6) Paragraph 7(3)(c.1) of the Act is amended by striking out “or” at the end of subparagraph (ii) and by adding the following after subparagraph (iii):
(iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual, or
(v) the disclosure is requested for the purpose of performing policing services that are not referred to in subparagraph (i), (ii) or (iv);
(7) Paragraph 7(3)(c.2) of the Act, as enacted by paragraph 97(1)(a) of chapter 17 of the Statutes of Canada, 2000, is repealed.
(8) The portion of paragraph 7(3)(d) of the Act before subparagraph (ii) is replaced by the following:
(d) made on the initiative of the organization to a government institution or a part of a government institution and the organization
(i) has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
(9) Subsection 7(3) of the Act is amended by adding the following after paragraph (d):
(d.1) made to another organization and the disclosure is necessary
(i) to investigate a breach of an agreement, or a contravention of the laws of Canada or a province, that has been, is being or is about to be committed, or
(ii) to prevent, detect or suppress fraud when it is reasonable to expect that the disclosure with the knowledge or consent of the individual would undermine the ability to prevent, detect or suppress the fraud;
(d.2) made on the initiative of the organization to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and
(i) the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse, and
(ii) the disclosure is made solely for purposes related to preventing or investigating the abuse;
(d.3) necessary to identify the individual who is injured, ill or deceased, the disclosure is made to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and, if the individual is alive, the organization informs that individual in writing without delay of the disclosure;
(10) Subsection 7(3) of the Act is amended by adding the following after paragraph (e):
(e.1) of information that is contained in a witness statement, and the disclosure is necessary to assess, process or settle an insurance claim;
(e.2) of information that was produced by the individual in the course of their employment, business or profession, and the disclosure is consistent with the purposes for which the information was produced;
(11) Subsection 7(3) of the Act is amended by adding “or” at the end of paragraph (h.1) and by repealing paragraph (h.2).
(12) Section 7 of the Act is amended by adding the following after subsection (3):
Lawful authority
(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)
(a) lawful authority refers to lawful authority other than
(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or
(ii) rules of court relating to the production of records; and
(b) the organization that discloses the per- sonal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.
(13) Subsection 7(5) of the Act is replaced by the following:
Disclosure without consent
(5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.1).
7. The Act is amended by adding the following after section 7:
Prospective business transaction
7.1 (1) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if
(a) the organizations have entered into an agreement that requires the organization that receives the personal information
(i) to use and disclose that information solely for purposes related to the transaction,
(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and
(iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and
(b) the personal information is necessary
(i) to determine whether to proceed with the transaction, and
(ii) if the determination is made to proceed with the transaction, to complete it.
Completed business transaction
(2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if
(a) the organizations have entered into an agreement that requires each of them
(i) to use and disclose the personal information under its control solely for the purposes for which the personal information was collected or permitted to be used or disclosed before the transaction was completed,
(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and
(iii) to give effect to any withdrawal of consent made in accordance with clause 4.3.8 of Schedule 1;
(b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and
(c) one of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).
Agreements binding
(3) An organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).
Exception
(4) Subsections (1) and (2) do not apply to a business transaction in which the primary purpose or result of the transaction is the purchase, sale or other acquisition or disposition, or lease, of personal information.
Employment relationship
7.2 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if
(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and
(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.
Use without consent
7.3 (1) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsections 7.1(1) and (2) and section 7.2.
Disclosure without consent
(2) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in subsections 7.1(1) and (2) and section 7.2.
8. The Act is amended by adding the following before section 8:
Informing an individual on an organization’s initiative
7.4 (1) Unless it complies with subsection (2), no organization shall, on its own initiative, take any of the following actions:
(a) informing an individual about
(i) any disclosure of their personal information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i), (ii) or (v) or paragraph 7(3)(c.2) or (d), or
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i), (ii) or (v); or
(b) giving an individual access to the information referred to in subparagraph (a)(ii).
Notification and response
(2) Each time an organization intends, on its own initiative, to take an action referred to in subsection (1), it
(a) shall, in writing and without delay, notify the government institution or part concerned of its intention; and
(b) shall not take the action before the earlier of
(i) 30 days after the day on which the institution or part was notified, and
(ii) the day on which the organization is notified under subsection (3) that the institution or part does not object to the action.
Objection
(3) Within 30 days after the day on which it is notified under paragraph (2)(a), the institution or part shall notify the organization of whether or not it objects to the organization’s intended action. The institution or part may object only if it is of the opinion that the action could reasonably be expected to be injurious to
(a) national security, the defence of Canada or the conduct of international affairs;
(b) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
(c) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.
Prohibition
(4) If an organization is notified under subsection (3) that the institution or part objects to the organization’s intended action, the organization
(a) shall not take the action;
(b) shall notify the Commissioner, in writing and without delay, of the objection; and
(c) shall not disclose to the individual
(i) that the organization intended to take the action,
(ii) that the organization notified a government institution or part under paragraph (2)(a) or the Commissioner under paragraph (b), or
(iii) that the institution or part objects.
9. Subsection 8(8) of the French version of the Act is replaced by the following:
Conservation des renseignements
(8) Malgré l’article 4.5 de l’annexe 1, l’organisation qui détient un renseignement faisant l’objet d’une demande doit le conserver le temps nécessaire pour permettre au demandeur d’épuiser tous les recours qu’il a en vertu de la présente partie.
2000, c. 17, par. 97(1)(b)
10. (1) Subparagraphs 9(2.1)(a)(i) and (ii) of the Act are replaced by the following:
(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i), (ii) or (v) or paragraph 7(3)(c.2) or (d), or
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i), (ii) or (v); or
(2) Subparagraphs 9(2.2)(b)(i) and (ii) of the Act are replaced by the following:
(i) 30 days after the day on which the institution or part was notified, and
(ii) the day on which the organization is notified under subsection (2.3) that the institution or part does not object to it complying with the request.
(3) Paragraph 9(2.3)(a.1) of the Act, as enacted by paragraph 97(1)(c) of chapter 17 of the Statutes of Canada, 2000, is repealed.
(4) Subparagraph 9(2.4)(c)(iii) of the French version of the Act is replaced by the following:
(iii) ni le fait que l’institution ou la subdivision s’oppose à ce que l’organisation acquiesce à la demande.
(5) Paragraph 9(3)(a) of the Act is replaced by the following:
(a) the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries;
11. The Act is amended by adding the following after section 10:
Division 1.1
Breaches of Security Safeguards
Report to Commissioner
10.1 (1) An organization shall report to the Commissioner any material breach of security safeguards involving personal information under its control.
Material breach of security safeguards — factors
(2) The factors that are relevant to determining whether a breach of security safeguards is material include
(a) the sensitivity of the personal information;
(b) the number of individuals whose personal information was involved; and
(c) an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.
Report requirements
(3) The report must contain the prescribed information and be made in the prescribed form and manner as soon as feasible after the organization determines that a material breach of its security safeguards has occurred.
Notification to individual
10.2 (1) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.
Definition of “significant harm”
(2) For the purpose of subsection (1), “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
Real risk of significant harm — factors
(3) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include the following:
(a) the sensitivity of the personal information involved in the breach; and
(b) the probability that the personal information has been, is being or will be misused.
Contents of notification
(4) The notification must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of the harm that could result from it or to mitigate that harm, as well as any other prescribed information.
Time to give notification
(5) The notification must be given as soon as feasible after the organization confirms that the breach has occurred and concludes that it is required to give the notification under subsection (1).
Form and manner
(6) The notification must be conspicuous and given directly to the individual in the prescribed form and manner, except in the prescribed circumstances where it is not feasible to do so, in which case it must be given indirectly in the prescribed form and manner.
Notification to organizations
10.3 (1) An organization that notifies an individual of a breach of security safeguards under section 10.2 shall notify another organization, a government institution or a part of a government institution of the breach if that organization, government institution or part may be able to reduce the risk of the harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.
Time to give notification
(2) The notification required by subsection (1) must be given as soon as feasible after the organization confirms that the breach has occurred and concludes that it is required to give the notification under subsection 10.2(1).
Disclosure of personal information
(3) In addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual if
(a) the disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); and
(b) the disclosure is made solely for the purposes of reducing the risk of the harm to the individual that could result from the breach or mitigating that harm.
Disclosure without consent
(4) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in the circumstance set out in subsection (3).
12. Subsection 11(1) of the Act is replaced by the following:
Contravention
11. (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recom- mendation set out in Schedule 1.
13. Subsection 14(1) of the Act is replaced by the following:
Application
14. (1) A complainant may, after receiving the Commissioner’s report, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1 or 1.1, in subsection 5(3) or 8(6) or (7) or in section 10 or 10.2.
14. Paragraph 16(a) of the Act is replaced by the following:
(a) order an organization to correct its practices in order to comply with sections 5 to 10 and 10.2 and subsections 10.3(3) and (4);
15. (1) The portion of subsection 22(2) of the Act before paragraph (a) is replaced by the following:
Defamation
(2) No action lies in defamation with respect to
(2) Paragraphs 22(2)(a) and (b) of the English version of the Act are replaced by the following:
(a) anything said, any information supplied or any record or thing produced in good faith in the course of an investigation or audit carried out by or on behalf of the Commissioner under this Part; and
(b) any report made in good faith by the Commissioner under this Part and any fair and accurate account of the report made in good faith for the purpose of news reporting.
16. Paragraph 24(c) of the Act is replaced by the following:
(c) encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with Divisions 1 and 1.1; and
17. Subsection 25(2) of the English version of the Act is replaced by the following:
Consultation
(2) Before preparing the report, the Commissioner shall consult with those persons in the provinces who, in the Commissioner’s opinion, are in a position to assist the Commissioner in making a report respecting personal information that is collected, used or disclosed interprovincially or internationally.
18. (1) Paragraph 26(1)(a.01) of the Act is repealed.
(2) Subsection 26(1) of the Act is amended by striking out “and” at the end of paragraph (a.1) and by adding the following after that paragraph:
(a.2) prescribing the form and manner in which the report referred to in section 10.1 must be made and the information that it must contain;
(a.3) prescribing the form and manner in which the notification referred to in section 10.2 must be given directly or indirectly and the information that it must contain;
(a.4) prescribing the circumstances referred to in subsection 10.2(6);
(a.5) prescribing conditions for the purpose of subsection 10.3(1); and
(3) Section 26 of the Act is amended by adding the following after subsection (1):
Incorporation by reference
(1.1) Regulations made under subsection (1) may incorporate by reference any standards or specifications produced by a government or organization, either as they exist on a particular date or as amended from time to time.
19. Subsection 27(1) of the Act is replaced by the following:
Whistleblowing
27. (1) Any person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1 or 1.1 may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.
20. Paragraphs 27.1(1)(a) to (c) of the Act are replaced by the following:
(a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that the employer or any other person has contravened or intends to contravene a provision of Division 1 or 1.1;
(b) the employee, acting in good faith and on the basis of reasonable belief, has refused or stated an intention of refusing to do anything that is a contravention of a provision of Division 1 or 1.1;
(c) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order that a provision of Division 1 or 1.1 not be contravened; or
COORDINATING AMENDMENTS
Fighting Internet and Wireless Spam Act
21. If a Bill entitled the Fighting Internet and Wireless Spam Act (in this section referred to as the “other Act”) is introduced in the 3rd session of the 40th Parliament and receives royal assent, then, on the first day on which both section 7.1 of the Personal Information Protection and Electronic Documents Act, as enacted by section 83 of the other Act, and section 7.1 of the Personal Information Protection and Electronic Documents Act, as enacted by section 7 of this Act, are in force,
(a) section 7.1 of the Personal Information Protection and Electronic Documents Act, as enacted by section 7 of this Act, is renumbered as section 7.11 and is repositioned accordingly if required; and
(b) section 7.3 of the Personal Information Protection and Electronic Documents Act is amended by replacing every reference to section 7.1 of that Act with a reference to section 7.11.
COMING INTO FORCE
Order in council
22. The provisions of this Act, other than section 21, come into force on a day or days to be fixed by order of the Governor in Council.
Published under authority of the Speaker of the House of Commons
Available from:
Publishing and Depository Services
Public Works and Government Services Canada
Available from:
Publishing and Depository Services
Public Works and Government Services Canada
Explanatory Notes
Personal Information Protection and Electronic Documents Act
Clause 2: (1) Existing text of the definition:
“personal information” means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.
(2) Relevant portion of the definition:
“federal work, undertaking or business” means any work, undertaking or business that is within the legislative authority of Parliament. It includes
...
(g) a bank;
(3) New.
Clause 3: Relevant portion of subsection 4(1):
4. (1) This Part applies to every organization in respect of personal information that
...
(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.
Clause 4: New.
Clause 5: New.
Clause 6: (1) and (2) Relevant portion of subsection 7(1):
7. (1) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
(3) and (4) Relevant portion of subsection 7(2):
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only if
(5) to (11) Relevant portion of subsection 7(3):
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is
...
(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
...
(c.2) made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) Act as required by that section;
(d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization
(i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or
...
(h.2) made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or
(12) New.
(13) Existing text of subsection 7(5):
(5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.2).
Clause 7: New.
Clause 8: New.
Clause 9: Existing text of subsection 8(8):
(8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.
Clause 10: (1) Relevant portion of subsection 9(2.1):
(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization
(a) inform the individual about
(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or
(2) Relevant portion of subsection 9(2.2):
(2.2) An organization to which subsection (2.1) applies
...
(b) shall not respond to the request before the earlier of
(i) the day on which it is notified under subsection (2.3), and
(ii) thirty days after the day on which the institution or part was notified.
(3) Relevant portion of subsection 9(2.3):
(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to
...
(a.1) the detection, prevention or deterrence of money laundering; or
(4) Relevant portion of subsection 9(2.4):
(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization
...
(c) shall not disclose to the individual
...
(iii) that the institution or part objects.
(5) Relevant portion of subsection 9(3):
(3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if
(a) the information is protected by solicitor-client privilege;
Clause 11: New.
Clause 12: Existing text of subsection 11(1):
11. (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1.
Clause 13: Existing text of subsection 14(1):
14. (1) A complainant may, after receiving the Commissioner’s report, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1, in subsection 5(3) or 8(6) or (7) or in section 10.
Clause 14: Relevant portion of section 16:
16. The Court may, in addition to any other remedies it may give,
(a) order an organization to correct its practices in order to comply with sections 5 to 10;
Clause 15: (1) and (2) Existing text of subsection 22(2):
(2) For the purposes of any law relating to libel or slander,
(a) anything said, any information supplied or any record or thing produced in good faith in the course of an investigation or audit carried out by or on behalf of the Commissioner under this Part is privileged; and
(b) any report made in good faith by the Commissioner under this Part and any fair and accurate account of the report made in good faith for the purpose of news reporting is privileged.
Clause 16: Relevant portion of section 24:
24. The Commissioner shall
...
(c) encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with sections 5 to 10; and
Clause 17: Existing text of subsection 25(2):
(2) Before preparing the report, the Commissioner shall consult with those persons in the provinces who, in the Commissioner’s opinion, are in a position to assist the Commissioner in reporting respecting personal information that is collected, used or disclosed interprovincially or internationally.
Clause 18: (1) and (2) Relevant portion of subsection 26(1):
26. (1) The Governor in Council may make regulations
...
(a.01) specifying, by name or by class, what is an investigative body for the purposes of paragraph 7(3)(d) or (h.2);
(3) New.
Clause 19: Existing text of subsection 27(1):
27. (1) Any person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1, may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.
Clause 20: Relevant portion of subsection 27.1(1):
27.1 (1) No employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny an employee a benefit of employment, by reason that
(a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that the employer or any other person has contravened or intends to contravene a provision of Division 1;
(b) the employee, acting in good faith and on the basis of reasonable belief, has refused or stated an intention of refusing to do anything that is a contravention of a provision of Division 1;
(c) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order that a provision of Division 1 not be contravened; or