Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada

Search

Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

Act current to 2024-03-06 and last amended on 2019-06-21. Previous Versions

PART 1Protection of Personal Information in the Private Sector (continued)

DIVISION 1.1Breaches of Security Safeguards

Marginal note:Report to Commissioner

  •  (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

  • Marginal note:Report requirements

    (2) The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Notification to individual

    (3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

  • Marginal note:Contents of notification

    (4) The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.

  • Marginal note:Form and manner

    (5) The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.

  • Marginal note:Time to give notification

    (6) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Definition of significant harm

    (7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

  • Marginal note:Real risk of significant harm — factors

    (8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

    • (a) the sensitivity of the personal information involved in the breach;

    • (b) the probability that the personal information has been, is being or will be misused; and

    • (c) any other prescribed factor.

  • 2015, c. 32, s. 10

Marginal note:Notification to organizations

  •  (1) An organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.

  • Marginal note:Time to give notification

    (2) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Disclosure of personal information

    (3) In addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual if

    • (a) the disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); and

    • (b) the disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.

  • Marginal note:Disclosure without consent

    (4) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in the circumstance set out in subsection (3).

  • 2015, c. 32, s. 10

Marginal note:Records

  •  (1) An organization shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control.

  • Marginal note:Provision to Commissioner

    (2) An organization shall, on request, provide the Commissioner with access to, or a copy of, a record.

  • 2015, c. 32, s. 10

DIVISION 2Remedies

Filing of Complaints

Marginal note:Contravention

  •  (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.

  • Marginal note:Commissioner may initiate complaint

    (2) If the Commissioner is satisfied that there are reasonable grounds to investigate a matter under this Part, the Commissioner may initiate a complaint in respect of the matter.

  • Marginal note:Time limit

    (3) A complaint that results from the refusal to grant a request under section 8 must be filed within six months, or any longer period that the Commissioner allows, after the refusal or after the expiry of the time limit for responding to the request, as the case may be.

  • Marginal note:Notice

    (4) The Commissioner shall give notice of a complaint to the organization against which the complaint was made.

  • 2000, c. 5, s. 11
  • 2015, c. 32, s. 11

Investigations of Complaints

Marginal note:Examination of complaint by Commissioner

  • 2000, c. 5, s. 12
  • 2010, c. 23, s. 83

Marginal note:Powers of Commissioner

  •  (1) In the conduct of an investigation of a complaint, the Commissioner may

    • (a) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary to investigate the complaint, in the same manner and to the same extent as a superior court of record;

    • (b) administer oaths;

    • (c) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;

    • (d) at any reasonable time, enter any premises, other than a dwelling-house, occupied by an organization on satisfying any security requirements of the organization relating to the premises;

    • (e) converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and

    • (f) examine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contain any matter relevant to the investigation.

  • Marginal note:Dispute resolution mechanisms

    (2) The Commissioner may attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.

  • Marginal note:Delegation

    (3) The Commissioner may delegate any of the powers set out in subsection (1) or (2).

  • Marginal note:Return of records

    (4) The Commissioner or the delegate shall return to a person or an organization any record or thing that they produced under this section within 10 days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.

  • Marginal note:Certificate of delegation

    (5) Any person to whom powers set out in subsection (1) are delegated shall be given a certificate of the delegation and the delegate shall produce the certificate, on request, to the person in charge of any premises to be entered under paragraph (1)(d).

  • 2010, c. 23, s. 83

Discontinuance of Investigation

Marginal note:Reasons

  • 2010, c. 23, s. 83
  • 2015, c. 32, s. 12

Commissioner’s Report

Marginal note:Contents

  •  (1) The Commissioner shall, within one year after the day on which a complaint is filed or is initiated by the Commissioner, prepare a report that contains

    • (a) the Commissioner’s findings and recommendations;

    • (b) any settlement that was reached by the parties;

    • (c) if appropriate, a request that the organization give the Commissioner, within a specified time, notice of any action taken or proposed to be taken to implement the recommendations contained in the report or reasons why no such action has been or is proposed to be taken; and

    • (d) the recourse, if any, that is available under section 14.

  • (2) [Repealed, 2010, c. 23, s. 84]

  • Marginal note:Report to parties

    (3) The report shall be sent to the complainant and the organization without delay.

  • 2000, c. 5, s. 13
  • 2010, c. 23, s. 84

Hearing by Court

Marginal note:Application

  •  (1) A complainant may, after receiving the Commissioner’s report or being notified under subsection 12.2(3) that the investigation of the complaint has been discontinued, apply to the Court for a hearing in respect of any matter in respect of which the complaint was made, or that is referred to in the Commissioner’s report, and that is referred to in clause 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3, 4.5 or 4.9 of that Schedule as modified or clarified by Division 1 or 1.1, in subsection 5(3) or 8(6) or (7), in section 10 or in Division 1.1.

  • Marginal note:Time for application

    (2) A complainant shall make an application within one year after the report or notification is sent or within any longer period that the Court may, either before or after the expiry of that year, allow.

  • Marginal note:For greater certainty

    (3) For greater certainty, subsections (1) and (2) apply in the same manner to complaints referred to in subsection 11(2) as to complaints referred to in subsection 11(1).

  • 2000, c. 5, s. 14
  • 2010, c. 23, s. 85
  • 2015, c. 32, s. 13

Marginal note:Commissioner may apply or appear

 The Commissioner may, in respect of a complaint that the Commissioner did not initiate,

  • (a) apply to the Court, within the time limited by section 14, for a hearing in respect of any matter described in that section, if the Commissioner has the consent of the complainant;

  • (b) appear before the Court on behalf of any complainant who has applied for a hearing under section 14; or

  • (c) with leave of the Court, appear as a party to any hearing applied for under section 14.

Marginal note:Remedies

 The Court may, in addition to any other remedies it may give,

  • (a) order an organization to correct its practices in order to comply with Divisions 1 and 1.1;

  • (b) order an organization to publish a notice of any action taken or proposed to be taken to correct its practices, whether or not ordered to correct them under paragraph (a); and

  • (c) award damages to the complainant, including damages for any humiliation that the complainant has suffered.

  • 2000, c. 5, s. 16
  • 2015, c. 32, s. 14

Marginal note:Summary hearings

  •  (1) An application made under section 14 or 15 shall be heard and determined without delay and in a summary way unless the Court considers it inappropriate to do so.

  • Marginal note:Precautions

    (2) In any proceedings arising from an application made under section 14 or 15, the Court shall take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1.

 

Date modified: