Government of Canada / Gouvernement du Canada
Symbol of the Government of Canada


Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

Act current to 2021-09-11 and last amended on 2019-06-21. Previous Versions

PART 1Protection of Personal Information in the Private Sector (continued)

DIVISION 1.1Breaches of Security Safeguards (continued)

Marginal note:Notification to organizations

  •  (1) An organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.

  • Marginal note:Time to give notification

    (2) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Disclosure of personal information

    (3) In addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual if

    • (a) the disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); and

    • (b) the disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.

  • Marginal note:Disclosure without consent

    (4) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in the circumstance set out in subsection (3).

  • 2015, c. 32, s. 10

Marginal note:Records

  •  (1) An organization shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control.

  • Marginal note:Provision to Commissioner

    (2) An organization shall, on request, provide the Commissioner with access to, or a copy of, a record.

  • 2015, c. 32, s. 10

DIVISION 2Remedies

Filing of Complaints

Marginal note:Contravention

  •  (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.

  • Marginal note:Commissioner may initiate complaint

    (2) If the Commissioner is satisfied that there are reasonable grounds to investigate a matter under this Part, the Commissioner may initiate a complaint in respect of the matter.

  • Marginal note:Time limit

    (3) A complaint that results from the refusal to grant a request under section 8 must be filed within six months, or any longer period that the Commissioner allows, after the refusal or after the expiry of the time limit for responding to the request, as the case may be.

  • Marginal note:Notice

    (4) The Commissioner shall give notice of a complaint to the organization against which the complaint was made.

  • 2000, c. 5, s. 11
  • 2015, c. 32, s. 11

Investigations of Complaints

Marginal note:Examination of complaint by Commissioner

  • 2000, c. 5, s. 12
  • 2010, c. 23, s. 83

Marginal note:Powers of Commissioner

  •  (1) In the conduct of an investigation of a complaint, the Commissioner may

    • (a) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary to investigate the complaint, in the same manner and to the same extent as a superior court of record;

    • (b) administer oaths;

    • (c) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;

    • (d) at any reasonable time, enter any premises, other than a dwelling-house, occupied by an organization on satisfying any security requirements of the organization relating to the premises;

    • (e) converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and

    • (f) examine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contain any matter relevant to the investigation.

  • Marginal note:Dispute resolution mechanisms

    (2) The Commissioner may attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation.

  • Marginal note:Delegation

    (3) The Commissioner may delegate any of the powers set out in subsection (1) or (2).

  • Marginal note:Return of records

    (4) The Commissioner or the delegate shall return to a person or an organization any record or thing that they produced under this section within 10 days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.

  • Marginal note:Certificate of delegation

    (5) Any person to whom powers set out in subsection (1) are delegated shall be given a certificate of the delegation and the delegate shall produce the certificate, on request, to the person in charge of any premises to be entered under paragraph (1)(d).

  • 2010, c. 23, s. 83

Discontinuance of Investigation

Marginal note:Reasons

  • 2010, c. 23, s. 83
  • 2015, c. 32, s. 12
Date modified: