Digital Privacy Act (S.C. 2015, c. 32)

Assented to 2015-06-18

Digital Privacy Act

S.C. 2015, c. 32

Assented to 2015-06-18

An Act to amend the Personal Information Protection and Electronic Documents Act and to make a consequential amendment to another Act

SUMMARY

This enactment amends the Personal Information Protection and Electronic Documents Act to, among other things,

  • (a) specify the elements of valid consent for the collection, use or disclosure of personal information;

  • (b) permit the disclosure of personal information without the knowledge or consent of an individual for the purposes of

    • (i) identifying an injured, ill or deceased individual and communicating with their next of kin,

    • (ii) preventing, detecting or suppressing fraud, or

    • (iii) protecting victims of financial abuse;

  • (c) permit organizations, for certain purposes, to collect, use and disclose, without the knowledge or consent of an individual, personal information

    • (i) contained in witness statements related to insurance claims, or

    • (ii) produced by the individual in the course of their employment, business or profession;

  • (d) permit organizations, for certain purposes, to use and disclose, without the knowledge or consent of an individual, personal information related to prospective or completed business transactions;

  • (e) permit federal works, undertakings and businesses to collect, use and disclose personal information, without the knowledge or consent of an individual, to establish, manage or terminate their employment relationships with the individual;

  • (f) require organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner;

  • (g) require organizations to keep and maintain a record of every breach of security safeguards involving personal information under their control;

  • (h) create offences in relation to the contravention of certain obligations respecting breaches of security safeguards;

  • (i) extend the period within which a complainant may apply to the Federal Court for a hearing on matters related to their complaint;

  • (j) provide that the Privacy Commissioner may, in certain circumstances, enter into a compliance agreement with an organization to ensure compliance with Part 1 of the Act; and

  • (k) modify the information that the Privacy Commissioner may make public if he or she considers that it is in the public interest to do so.

Her Majesty, by and with the advice and consent of the Senate and House of Commons of Canada, enacts as follows:

SHORT TITLE

Marginal note:Short title

 This Act may be cited as the Digital Privacy Act.

2000, c. 5PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

  •  (1) The definition “personal information” in subsection 2(1) of the Personal Information Protection and Electronic Documents Act is replaced by the following:

    “personal information”

    « renseignement personnel »

    “personal information” means information about an identifiable individual.

  • (2) Paragraph (g) of the definition “federal work, undertaking or business” in subsection 2(1) of the Act is replaced by the following:

    • (g) a bank or an authorized foreign bank as defined in section 2 of the Bank Act;

  • (3) Subsection 2(1) of the Act is amended by adding the following in alphabetical order:

    “breach of security safeguards”

    « atteinte aux mesures de sécurité »

    “breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.

    “business contact information”

    « coordonnées d’affaires »

    “business contact information” means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.

    “business transaction”

    « transaction commerciale »

    “business transaction” includes

    • (a) the purchase, sale or other acquisition or disposition of an organization or a part of an organization, or any of its assets;

    • (b) the merger or amalgamation of two or more organizations;

    • (c) the making of a loan or provision of other financing to an organization or a part of an organization;

    • (d) the creating of a charge on, or the taking of a security interest in or a security on, any assets or securities of an organization;

    • (e) the lease or licensing of any of an organization’s assets; and

    • (f) any other prescribed arrangement between two or more organizations to conduct a business activity.

    “prescribed”

    Marginal note:Version anglaise seulement

    “prescribed” means prescribed by regulation.

 Paragraph 4(1)(b) of the Act is replaced by the following:

  • (b) is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

 The Act is amended by adding the following after section 4:

Marginal note:Business contact information

4.01 This Part does not apply to an organization in respect of the business contact information of an individual that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.

 The Act is amended by adding the following after section 6:

Marginal note:Valid consent

6.1 For the purposes of clause 4.3 of Schedule 1, the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

  •  (1) The portion of subsection 7(1) of the French version of the Act before paragraph (a) is replaced by the following:

    Marginal note:Collecte à l’insu de l’intéressé ou sans son consentement
    • 7. (1) Pour l’application de l’article 4.3 de l’annexe 1 et malgré la note afférente, l’organisation ne peut recueillir de renseignement personnel à l’insu de l’intéressé ou sans son consentement que dans les cas suivants :

  • (2) Paragraph 7(1)(b) of the French version of the Act is replaced by the following:

    • b) il est raisonnable de s’attendre à ce que la collecte effectuée au su ou avec le consentement de l’intéressé compromette l’exactitude du renseignement ou l’accès à celui-ci, et la collecte est raisonnable à des fins liées à une enquête sur la violation d’un accord ou la contravention au droit fédéral ou provincial;

  • (3) Subsection 7(1) of the Act is amended by adding the following after paragraph (b):

    • (b.1) it is contained in a witness statement and the collection is necessary to assess, process or settle an insurance claim;

    • (b.2) it was produced by the individual in the course of their employment, business or profession and the collection is consistent with the purposes for which the information was produced;

  • (4) The portion of subsection 7(2) of the French version of the Act before paragraph (a) is replaced by the following:

    • Marginal note:Utilisation à l’insu de l’intéressé ou sans son consentement

      (2) Pour l’application de l’article 4.3 de l’annexe 1 et malgré la note afférente, l’organisation ne peut utiliser de renseignement personnel à l’insu de l’intéressé ou sans son consentement que dans les cas suivants :

  • (5) Subsection 7(2) of the Act is amended by adding the following after paragraph (b):

    • (b.1) the information is contained in a witness statement and the use is necessary to assess, process or settle an insurance claim;

    • (b.2) the information was produced by the individual in the course of their employment, business or profession and the use is consistent with the purposes for which the information was produced;

  • (6) The portion of subsection 7(3) of the French version of the Act before paragraph (a) is replaced by the following:

    • Marginal note:Communication à l’insu de l’intéressé ou sans son consentement

      (3) Pour l’application de l’article 4.3 de l’annexe 1 et malgré la note afférente, l’organisation ne peut communiquer de renseignement personnel à l’insu de l’intéressé ou sans son consentement que dans les cas suivants :

  • (7) Paragraph 7(3)(c.1) of the Act is amended by striking out “or” at the end of subparagraph (ii), by adding “or” at the end of subparagraph (iii) and by adding the following after subparagraph (iii):

    • (iv) the disclosure is requested for the purpose of communicating with the next of kin or authorized representative of an injured, ill or deceased individual;

  • Marginal note:2000, c. 17, par. 97(1)(a)

    (8) Paragraph 7(3)(c.2) of the Act, as enacted by paragraph 97(1)(a) of chapter 17 of the Statutes of Canada, 2000, is repealed.

  • (9) The portion of paragraph 7(3)(d) of the Act before subparagraph (ii) is replaced by the following:

    • (d) made on the initiative of the organization to a government institution or a part of a government institution and the organization

      • (i) has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

  • (10) Subsection 7(3) of the Act is amended by adding the following after paragraph (d):

    • (d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

    • (d.2) made to another organization and is reasonable for the purposes of detecting or suppressing fraud or of preventing fraud that is likely to be committed and it is reasonable to expect that the disclosure with the knowledge or consent of the individual would compromise the ability to prevent, detect or suppress the fraud;

    • (d.3) made on the initiative of the organization to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and

      • (i) the organization has reasonable grounds to believe that the individual has been, is or may be the victim of financial abuse,

      • (ii) the disclosure is made solely for purposes related to preventing or investigating the abuse, and

      • (iii) it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the ability to prevent or investigate the abuse;

    • (d.4) necessary to identify the individual who is injured, ill or deceased, made to a government institution, a part of a government institution or the individual’s next of kin or authorized representative and, if the individual is alive, the organization informs that individual in writing without delay of the disclosure;

  • (11) Subsection 7(3) of the Act is amended by adding the following after paragraph (e):

    • (e.1) of information that is contained in a witness statement and the disclosure is necessary to assess, process or settle an insurance claim;

    • (e.2) of information that was produced by the individual in the course of their employment, business or profession and the disclosure is consistent with the purposes for which the information was produced;

  • (12) Paragraph 7(3)(f) of the French version of the Act is replaced by the following:

    • f) la communication est faite à des fins statistiques ou à des fins d’étude ou de recherche érudites, ces fins ne peuvent être réalisées sans que le renseignement soit communiqué, le consentement est pratiquement impossible à obtenir et l’organisation informe le commissaire de la communication avant de la faire;

  • (13) Subsection 7(3) of the Act is amended by adding “or” at the end of paragraph (h.1) and by repealing paragraph (h.2).

  • (14) Paragraph 7(3)(i) of the French version of the Act is replaced by the following:

    • i) la communication est exigée par la loi.

  • (15) Subsection 7(5) of the Act is replaced by the following:

    • Marginal note:Disclosure without consent

      (5) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in paragraphs (3)(a) to (h.1).

 
Date modified: