Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5)

Act current to 2018-12-12 and last amended on 2018-11-01. Previous Versions

PART 1Protection of Personal Information in the Private Sector (continued)

DIVISION 1Protection of Personal Information (continued)

Marginal note:When access prohibited

  •  (1) Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

  • Marginal note:Limit

    (2) Subsection (1) does not apply if the third party consents to the access or the individual needs the information because an individual’s life, health or security is threatened.

  • Marginal note:Information related to paragraphs 7(3)(c), (c.1) or (d)

    (2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization

    • (a) inform the individual about

      • (i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or

      • (ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

    • (b) give the individual access to the information referred to in subparagraph (a)(ii).

  • Marginal note:Notification and response

    (2.2) An organization to which subsection (2.1) applies

    • (a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

    • (b) shall not respond to the request before the earlier of

      • (i) the day on which it is notified under subsection (2.3), and

      • (ii) thirty days after the day on which the institution or part was notified.

  • Marginal note:Objection

    (2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

    • (a) national security, the defence of Canada or the conduct of international affairs;

    • (a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

    • (b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

  • Marginal note:Prohibition

    (2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

    • (a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);

    • (b) shall notify the Commissioner, in writing and without delay, of the refusal; and

    • (c) shall not disclose to the individual

      • (i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,

      • (ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or

      • (iii) that the institution or part objects.

  • Marginal note:When access may be refused

    (3) Despite the note that accompanies clause 4.9 of Schedule 1, an organization is not required to give access to personal information only if

    • (a) the information is protected by solicitor-client privilege or, in civil law, by the professional secrecy of lawyers and notaries;

    • (b) to do so would reveal confidential commercial information;

    • (c) to do so could reasonably be expected to threaten the life or security of another individual;

    • (c.1) the information was collected under paragraph 7(1)(b);

    • (d) the information was generated in the course of a formal dispute resolution process; or

    • (e) the information was created for the purpose of making a disclosure under the Public Servants Disclosure Protection Act or in the course of an investigation into a disclosure under that Act.

    However, in the circumstances described in paragraph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access is requested, the organization shall give the individual access after severing.

  • Marginal note:Limit

    (4) Subsection (3) does not apply if the individual needs the information because an individual’s life, health or security is threatened.

  • Marginal note:Notice

    (5) If an organization decides not to give access to personal information in the circumstances set out in paragraph (3)(c.1), the organization shall, in writing, so notify the Commissioner, and shall include in the notification any information that the Commissioner may specify.

  • 2000, c. 5, s. 9, c. 17, s. 97;
  • 2001, c. 41, s. 82;
  • 2005, c. 46, s. 57;
  • 2006, c. 9, s. 223;
  • 2015, c. 32, s. 9.

Marginal note:Sensory disability

 An organization shall give access to personal information in an alternative format to an individual with a sensory disability who has a right of access to personal information under this Part and who requests that it be transmitted in the alternative format if

  • (a) a version of the information already exists in that format; or

  • (b) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this Part.

DIVISION 1.1Breaches of Security Safeguards

Marginal note:Report to Commissioner

  •  (1) An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

  • Marginal note:Report requirements

    (2) The report shall contain the prescribed information and shall be made in the prescribed form and manner as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Notification to individual

    (3) Unless otherwise prohibited by law, an organization shall notify an individual of any breach of security safeguards involving the individual’s personal information under the organization’s control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

  • Marginal note:Contents of notification

    (4) The notification shall contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm. It shall also contain any other prescribed information.

  • Marginal note:Form and manner

    (5) The notification shall be conspicuous and shall be given directly to the individual in the prescribed form and manner, except in prescribed circumstances, in which case it shall be given indirectly in the prescribed form and manner.

  • Marginal note:Time to give notification

    (6) The notification shall be given as soon as feasible after the organization determines that the breach has occurred.

  • Marginal note:Definition of significant harm

    (7) For the purpose of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

  • Marginal note:Real risk of significant harm — factors

    (8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include

    • (a) the sensitivity of the personal information involved in the breach;

    • (b) the probability that the personal information has been, is being or will be misused; and

    • (c) any other prescribed factor.

  • 2015, c. 32, s. 10.
 
Date modified: