Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)
Full Document:
Act current to 2024-11-26 and last amended on 2024-08-19. Previous Versions
PART 1Protection of Personal Information in the Private Sector (continued)
DIVISION 1Protection of Personal Information (continued)
Marginal note:Definitions
7.1 (1) The following definitions apply in this section.
- access
access means to program, to execute programs on, to communicate with, to store data in, to retrieve data from, or to otherwise make use of any resources, including data or programs on a computer system or a computer network. (utiliser)
- computer program
computer program has the same meaning as in subsection 342.1(2) of the Criminal Code. (programme d’ordinateur)
- computer system
computer system has the same meaning as in subsection 342.1(2) of the Criminal Code. (ordinateur)
- electronic address
electronic address means an address used in connection with
(a) an electronic mail account;
(b) an instant messaging account; or
(c) any similar account. (adresse électronique)
Marginal note:Collection of electronic addresses, etc.
(2) Paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of
(a) the collection of an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; or
(b) the use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a).
Marginal note:Accessing a computer system to collect personal information, etc.
(3) Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of
(a) the collection of personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament; or
(b) the use of personal information that is collected in a manner described in paragraph (a).
- 2010, c. 23, s. 82
- 2015, c. 32, s. 26
Marginal note:Prospective business transaction
7.2 (1) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if
(a) the organizations have entered into an agreement that requires the organization that receives the personal information
(i) to use and disclose that information solely for purposes related to the transaction,
(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and
(iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and
(b) the personal information is necessary
(i) to determine whether to proceed with the transaction, and
(ii) if the determination is made to proceed with the transaction, to complete it.
Marginal note:Completed business transaction
(2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if
(a) the organizations have entered into an agreement that requires each of them
(i) to use and disclose the personal information under its control solely for the purposes for which the personal information was collected, permitted to be used or disclosed before the transaction was completed,
(ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and
(iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;
(b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and
(c) one of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).
Marginal note:Agreements binding
(3) An organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).
Marginal note:Exception
(4) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information.
- 2015, c. 32, s. 7
Marginal note:Employment relationship
7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if
(a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and
(b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.
- 2015, c. 32, s. 7
Marginal note:Use without consent
7.4 (1) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.
Marginal note:Disclosure without consent
(2) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.
- 2015, c. 32, s. 7
Marginal note:Written request
8 (1) A request under clause 4.9 of Schedule 1 must be made in writing.
Marginal note:Assistance
(2) An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.
Marginal note:Time limit
(3) An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.
Marginal note:Extension of time limit
(4) An organization may extend the time limit
(a) for a maximum of thirty days if
(i) meeting the time limit would unreasonably interfere with the activities of the organization, or
(ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or
(b) for the period that is necessary in order to be able to convert the personal information into an alternative format.
In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.
Marginal note:Deemed refusal
(5) If the organization fails to respond within the time limit, the organization is deemed to have refused the request.
Marginal note:Costs for responding
(6) An organization may respond to an individual’s request at a cost to the individual only if
(a) the organization has informed the individual of the approximate cost; and
(b) the individual has advised the organization that the request is not being withdrawn.
Marginal note:Reasons
(7) An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.
Marginal note:Retention of information
(8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.
- 2000, c. 5, s. 8
- 2015, c. 32, s. 8(F)
Marginal note:When access prohibited
9 (1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
Marginal note:Limit
(2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual’s life, health or security is threatened.
Marginal note:Information related to paragraphs 7(3)(c), (c.1) or (d)
(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization
(a) inform the individual about
(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or
(b) give the individual access to the information referred to in subparagraph (a)(ii).
Marginal note:Notification and response
(2.2) An organization to which subsection (2.1) applies
(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and
(b) shall not respond to the request before the earlier of
(i) the day on which it is notified under subsection (2.3), and
(ii) thirty days after the day on which the institution or part was notified.
Marginal note:Objection
(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to
(a) national security, the defence of Canada or the conduct of international affairs;
(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or
(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.
Marginal note:Prohibition
(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization
(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);
(b) shall notify the Commissioner, in writing and without delay, of the refusal; and
(c) shall not disclose to the individual
(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,
(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or
(iii) that the institution or part objects.
Marginal note:When access may be refused
(3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if
(a) the information is protected by solicitor-client privilege or the professional secrecy of advocates and notaries or by litigation privilege;
(b) to do so would reveal confidential commercial information;
(c) to do so could reasonably be expected to threaten the life or security of another individual;
(c.1) the information was collected under paragraph 7(1)(b);
(d) the information was generated in the course of a formal dispute resolution process; or
(e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.
However, in the circumstances described in paragraph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.
Marginal note:Limit
(4) Subsection (3) does not apply if the individual needs the information because an individual’s life, health or security is threatened.
Marginal note:Notice
(5) If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.
- 2000, c. 5, s. 9, c. 17, s. 97
- 2001, c. 41, s. 82
- 2005, c. 46, s. 57
- 2006, c. 9, s. 223
- 2015, c. 32, s. 9
- 2019, c. 18, s. 61
Marginal note:Sensory disability
10 An organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format if
(a) a version of the information already exists in that format; or
(b) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Part.
- Date modified: