Digital Privacy Act (S.C. 2015, c. 32)

Assented to 2015-06-18

 The Act is amended by adding the following before section 8:

Marginal note:Prospective business transaction
  • 7.2 (1) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, organizations that are parties to a prospective business transaction may use and disclose personal information without the knowledge or consent of the individual if

    • (a) the organizations have entered into an agreement that requires the organization that receives the personal information

      • (i) to use and disclose that information solely for purposes related to the transaction,

      • (ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

      • (iii) if the transaction does not proceed, to return that information to the organization that disclosed it, or destroy it, within a reasonable time; and

    • (b) the personal information is necessary

      • (i) to determine whether to proceed with the transaction, and

      • (ii) if the determination is made to proceed with the transaction, to complete it.

  • Marginal note:Completed business transaction

    (2) In addition to the circumstances set out in subsections 7(2) and (3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, if the business transaction is completed, organizations that are parties to the transaction may use and disclose personal information, which was disclosed under subsection (1), without the knowledge or consent of the individual if

    • (a) the organizations have entered into an agreement that requires each of them

      • (i) to use and disclose the personal information under its control solely for the purposes for which the personal information was collected, permitted to be used or disclosed before the transaction was completed,

      • (ii) to protect that information by security safeguards appropriate to the sensitivity of the information, and

      • (iii) to give effect to any withdrawal of consent made under clause 4.3.8 of Schedule 1;

    • (b) the personal information is necessary for carrying on the business or activity that was the object of the transaction; and

    • (c) one of the parties notifies the individual, within a reasonable time after the transaction is completed, that the transaction has been completed and that their personal information has been disclosed under subsection (1).

  • Marginal note:Agreements binding

    (3) An organization shall comply with the terms of any agreement into which it enters under paragraph (1)(a) or (2)(a).

  • Marginal note:Exception

    (4) Subsections (1) and (2) do not apply to a business transaction of which the primary purpose or result is the purchase, sale or other acquisition or disposition, or lease, of personal information.

Marginal note:Employment relationship

7.3 In addition to the circumstances set out in section 7, for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, a federal work, undertaking or business may collect, use and disclose personal information without the consent of the individual if

  • (a) the collection, use or disclosure is necessary to establish, manage or terminate an employment relationship between the federal work, undertaking or business and the individual; and

  • (b) the federal work, undertaking or business has informed the individual that the personal information will be or may be collected, used or disclosed for those purposes.

Marginal note:Use without consent
  • 7.4 (1) Despite clause 4.5 of Schedule 1, an organization may use personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.

  • Marginal note:Disclosure without consent

    (2) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in any of the circumstances set out in subsection 7.2(1) or (2) or section 7.3.

 Subsection 8(8) of the French version of the Act is replaced by the following:

  • Marginal note:Conservation des renseignements

    (8) Malgré l’article 4.5 de l’annexe 1, l’organisation qui détient un renseignement faisant l’objet d’une demande doit le conserver le temps nécessaire pour permettre au demandeur d’épuiser tous les recours qu’il a en vertu de la présente partie.

Marginal note:2000, c. 17, par. 97(1)(c)
  •  (1) Paragraph 9(2.3)(a.1) of the Act, as enacted by paragraph 97(1)(c) of chapter 17 of the Statutes of Canada, 2000, is repealed.

  • (2) Subparagraph 9(2.4)(c)(iii) of the French version of the Act is replaced by the following:

    • (iii) ni le fait que l’institution ou la subdivision s’oppose à ce que l’organisation acquiesce à la demande.

  • (3) Paragraph 9(3)(a) of the Act is replaced by the following:

    • (a) the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries;

 The Act is amended by adding the following after section 10:

Division 1.1Breaches of Security Safeguards

Marginal note:Report to Commissioner
  • 10.1 (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

  • Marginal note:Report requirements

    (2) The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Notification to individual

    (3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

  • Marginal note:Contents of notification

    (4) The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.

  • Marginal note:Form and manner

    (5) The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.

  • Marginal note:Time to give notification

    (6) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Definition of “significant harm”

    (7) For the purpose of this section, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

  • Marginal note:Real risk of significant harm — factors

    (8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

    • (a) the sensitivity of the personal information involved in the breach;

    • (b) the probability that the personal information has been, is being or will be misused; and

    • (c) any other prescribed factor.

Marginal note:Notification to organizations
  • 10.2 (1) An organization that notifies an individual of a breach of security safeguards under subsection 10.1(3) shall notify any other organization, a government institution or a part of a government institution of the breach if the notifying organization believes that the other organization or the government institution or part concerned may be able to reduce the risk of harm that could result from it or mitigate that harm, or if any of the prescribed conditions are satisfied.

  • Marginal note:Time to give notification

    (2) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Disclosure of personal information

    (3) In addition to the circumstances set out in subsection 7(3), for the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual if

    • (a) the disclosure is made to the other organization, the government institution or the part of a government institution that was notified of the breach under subsection (1); and

    • (b) the disclosure is made solely for the purposes of reducing the risk of harm to the individual that could result from the breach or mitigating that harm.

  • Marginal note:Disclosure without consent

    (4) Despite clause 4.5 of Schedule 1, an organization may disclose personal information for purposes other than those for which it was collected in the circumstance set out in subsection (3).

Marginal note:Records
  • 10.3 (1) An organization shall, in accordance with any prescribed requirements, keep and maintain a record of every breach of security safeguards involving personal information under its control.

  • Marginal note:Provision to Commissioner

    (2) An organization shall, on request, provide the Commissioner with access to, or a copy of, a record.

 Subsection 11(1) of the Act is replaced by the following:

Marginal note:Contravention
  • 11. (1) An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.

 Subsection 12.2(1) of the Act is amended by adding the following after paragraph (c):

  • (c.1) the matter is the object of a compliance agreement entered into under subsection 17.1(1);

 
Date modified: