Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

Act current to 2016-01-25 and last amended on 2015-06-23. Previous Versions

Marginal note:Definitions
  •  (1) The following definitions apply in this section.

    access

    utiliser

    access means to program, to execute programs on, to communicate with, to store data in, to retrieve data from, or to otherwise make use of any resources, including data or programs on a computer system or a computer network. (utiliser)

    computer program

    programme d’ordinateur

    computer program has the same meaning as in subsection 342.1(2) of the Criminal Code. (programme d’ordinateur)

    computer system

    ordinateur

    computer system has the same meaning as in subsection 342.1(2) of the Criminal Code. (ordinateur)

    electronic address

    adresse électronique

    electronic address means an address used in connection with

    • (a) an electronic mail account;

    • (b) an instant messaging account; or

    • (c) any similar account. (adresse électronique)

  • Marginal note:Collection of electronic addresses, etc.

    (2) Paragraphs 7(1)(a) and (b.1) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of

    • (a) the collection of an individual’s electronic address, if the address is collected by the use of a computer program that is designed or marketed primarily for use in generating or searching for, and collecting, electronic addresses; or

    • (b) the use of an individual’s electronic address, if the address is collected by the use of a computer program described in paragraph (a).

  • Marginal note:Accessing a computer system to collect personal information, etc.

    (3) Paragraphs 7(1)(a) to (d) and (2)(a) to (c.1) and the exception set out in clause 4.3 of Schedule 1 do not apply in respect of

    • (a) the collection of personal information, through any means of telecommunication, if the collection is made by accessing a computer system or causing a computer system to be accessed in contravention of an Act of Parliament; or

    • (b) the use of personal information that is collected in a manner described in paragraph (a).

  • 2010, c. 23, s. 82;
  • 2015, c. 32, s. 26.
Marginal note:Prospective business transaction
  •  (1) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if

    • (a) the organizations have entered into an agreement that requires the organization that receives the personal information

      • (i) to use and disclose that information solely for purposes related to the transaction,

      • (ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

      • (iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

    • (b) the personal information is necessary

      • (i) to determine whether to proceed with the transaction, and

      • (ii) if the determination is made to proceed with the transaction, to complete it.

  • Marginal note:Completed business transaction

    (2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if

    • (a) the organizations have entered into an agreement that requires each of them

      • (i) to use and disclose the personal information under its control solely for the purposes for which the personal information was collected, permitted to be used or disclosed before the transaction was completed,

      • (ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

      • (iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

    • (b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

    • (c) one of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).

  • Marginal note:Agreements binding

    (3) An organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).

  • Marginal note:Exception

    (4) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information.

  • 2015, c. 32, s. 7.
Marginal note:Employment relationship

 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

  • (a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

  • (b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

  • 2015, c. 32, s. 7.
Marginal note:Use without consent
  •  (1) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.

  • Marginal note:Disclosure without consent

    (2) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.

  • 2015, c. 32, s. 7.
Marginal note:Written request
  •  (1) A request under clause 4.9 of Schedule 1 must be made in writing.

  • Marginal note:Assistance

    (2) An organization shall assist any individual who informs the organization that they need assistance in preparing a request to the organization.

  • Marginal note:Time limit

    (3) An organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

  • Marginal note:Extension of time limit

    (4) An organization may extend the time limit

    • (a) for a maximum of thirty days if

      • (i) meeting the time limit would unreasonably interfere with the activities of the organization, or

      • (ii) the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or

    • (b) for the period that is necessary in order to be able to convert the personal information into an alternative format.

    In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

  • Marginal note:Deemed refusal

    (5) If the organization fails to respond within the time limit, the organization is deemed to have refused the request.

  • Marginal note:Costs for responding

    (6) An organization may respond to an individual’s request at a cost to the individual only if

    • (a) the organization has informed the individual of the approximate cost; and

    • (b) the individual has advised the organization that the request is not being withdrawn.

  • Marginal note:Reasons

    (7) An organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this Part.

  • Marginal note:Retention of information

    (8) Despite clause 4.5 of Schedule 1, an organization that has personal information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust any recourse under this Part that they may have.

  • 2000, c. 5, s. 8;
  • 2015, c. 32, s. 8(F).
 
Date modified: