This document was prepared by the staff of the Parliamentary Research Branch to provide Canadian Parliamentarians with plain language background and analysis of proposed government legislation. Legislative summaries are not government documents. They have no official legal status and do not constitute legal advice or opinion. Please note, the Legislative Summary describes the bill as of the date shown at the beginning of the document. For the latest published version of the bill, please consult the parliamentary internet site at www.parl.gc.ca.

line.gif (3412 bytes)

LS-344E

 

BILL C-6: PERSONAL INFORMATION PROTECTION
AND ELECTRONIC DOCUMENTS ACT

 

Prepared by:
John Craig
Law and Government Division
15 October 1999
Revised 15 May 2000


 

LEGISLATIVE HISTORY OF BILL C-6

 

HOUSE OF COMMONS

SENATE

Bill Stage Date Bill Stage Date
First Reading:

15 October 1999

First Reading:

2 November 1999

Second Reading:

15 October 1999

Second Reading:

6 December 1999

Committee Report:

15 October 1999

Committee Report:

7 December 1999

Report Stage:

20 October 1999

Report Stage:

7 December 1999

Third Reading:

26 October 1999

Third Reading:

9 December 1999



Message sent to House of Commons: 9 December 1999
Concurrence in Senate amendments: 4 April 2000

Royal Assent:  13 April 2000
Statutes of Canada 2000, c.5





N.B. Any substantive changes in this Legislative Summary which have been made since the preceding issue are indicated in bold print.

 

 

 

 

 

TABLE OF CONTENTS


BACKGROUND

DESCRIPTION

   A. Title (Clause 1)

Part 1

   B. Definitions, Purpose, Application, Schedule 1 References (Clauses 2 to 5)
      1. Definitions (Clause 2)
      2. Purpose (Clause 3)
      3. Application of Part 1 (Clause 4)
      4. Provisions Referring to Schedule 1, Including Use of "should";
          the "Reasonable Purposes" Requirement (Clause 5)

   C. Exemptions from the Requirement of Knowledge or Consent (Clause 7)
      1. Exemptions with Respect to Collection (Clause 7(1))
      2. Exemptions with Respect to Use (Clause 7(2))
      3. Exemptions with Respect to Disclosure (Clause 7(3))
      4. Conditions Attached to the Exemptions for Statistical, or Scholarly
          Study or Research Purposes (Clause 7(2)(c) and 7(3)(f))

   D. Rules Governing Access to Personal Information (Clauses 8 to 10)
      1. Rules Regarding Time Limits, the Requirement to Retain Information,
          and Costs of Responding to a Complaint (Clauses 8 and 10)
         a. Clause 8
         b. Clause 10
      2. When Access Could Be Refused (Clause 9)

   E. Filing and Investigation of Complaints, Commissioner’s Report
       (Clauses 11, 12 and 13)
      1. Filing of a Complaint (Clause 11)
      2. Investigation of a Complaint (Clause 12)
      3. Commissioner’s Report (Clause 13)

   F. Court Hearing and Remedies (Clauses 14 to 17)

   G. Other Duties and Powers of the Commissioner
        (Clauses 18 to 20 and 23 to 26)
      1. Audits (Clauses 18 and 19)
      2. The Commissioner Could Make Public the Personal Information Management
          Practices of an Organization (Clause 20(2))
      3. Consultation with Provincial Authorities (Clause 23)
      4. Commissioner’s Public Education Mandate (Clause 24)
      5. Annual Report (Clause 25)

   H. Exclusion of Application of Part 1 within a Province (Clauses 30 and 26(2)(b))

   I. Other Part 1 Provisions
      1. Regulation-making Power of the Governor in Council (Clause 26(1))
      2. "Whistleblower" Protection (Clauses 27 and 27.1)
      3. Fines (Clause 28)
      4. Parliamentary Review (Clause 29)

   J.  One-Year Exemption for "Personal Health Information" (Clause 30)

Schedule 1

      1. Accountability
      2. Identifying Principles
      3. Consent
      4. Limiting Collection
      5. Limiting Use, Disclosure and Retention
      6. Accuracy
      7. Safeguards
      8. Openness
      9. Individual Access
      10. Challenging Compliance

Parts 2 to 5

COMMENTARY: COMMITTEE STUDY OF BILL C-54 (PREDECESSOR BILL)

   A. Definitions

   B. Exemptions

   C. Deletions

   D. Other


BILL C-6: PERSONAL INFORMATION PROTECTION
AND ELECTRONIC DOCUMENTS ACT(1)*

BACKGROUND

Bill C-6 would introduce measures to protect personal information in the private sector, create an electronic alternative for doing business with the federal government, and clarify how the courts would assess the reliability of electronic records used as evidence. The bill passed report stage on 20 October 1999 and is currently at third reading in the House of Commons.

Bill C-6 passed third reading in the House of Commons on 26 October 1999, and received first reading in the Senate in early November. The subject matter of the bill was subsequently referred to the Standing Senate Committee on Social Affairs, Science and Technology, which held hearings in late November and early December. The Committee’s hearings focused largely on concerns regarding the application of Part 1 of the bill to personal health information. The Committee recommended amendments that would delay the application of the bill to personal health information for one year following the coming into force of Part 1. The purpose of these amendments was to provide health care stakeholders with an opportunity to formulate legislative measures appropriate to the special nature of personal health information. These amendments passed third reading in the Senate on 9 December, after which the amended bill was returned to the House of Commons for consideration. The Senate amendments were subsequently accepted by the House of Commons, and the bill received Royal Assent on 13 April 2000.

The Governor in Council, on 26 April 2000, fixed the following dates for the coming into force of Parts 1 to 4 of the newly passed Act:

(a) 1 May 2000 as the day on which Parts 2, 3 and 4 shall come into force; and

(b) 1 January 2001 as the day on which Part 1 shall come into force.

In light of the Senate amendments and the order-in-council, the new Act will not apply to personal health information until 1 January 2002.

Bill C-6 is a one of several components of the Canadian Electronic Commerce Strategy announced by Prime Minister Chrétien on 22 September 1998, which is aimed at "recreating in cyberspace the same expectations of trust, confidence and reliability that now exist in everyday commerce." The government’s stated goal is for Canada to become a world leader in electronic commerce by the year 2000; this bill is one of the measures to be used to achieve this goal.

The bill contains six parts, the most prominent of which is Part 1, "Protection of Personal Information in the Private Sector." Together with Schedule 1, which contains the CSA Model Code, Part 1 would establish rules governing the collection, use and disclosure of, as well as access to, personal information in the private sector. Part 2, entitled "Electronic Documents," would provide for the use of electronic alternatives where federal laws now contemplate the use of paper to record or communicate information. The other parts would provide amendments to other federal statutes to facilitate the use and legal recognition of electronic documents.(2)

Currently, no federal legislation protects personal information in the private sector. The federal Privacy Act provides such protection to the public sector only. Part 1 of Bill C-6 is designed to fill this gap. The Province of Quebec is the only jurisdiction in Canada, and indeed in North America, to have enacted legislation applying to data protection in the private sector. Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, also known as Bill 68, came into force in 1994.

Part 1 of Bill C-6 also responds to recent privacy initiatives in Europe. In 1995, the European Union passed its Directive on Data Protection which introduces privacy protection applying to the private sector. The Directive required member countries to adopt national data protection laws that meet the standards of the Directive within three years (by 1998). Notably, Article 25 of the Directive prohibits member countries from transferring personal information to a non-member country or to a business located in a non-member country, if the non-member country’s laws do not provide adequate protection for personal information. The Directive could, therefore, have a negative impact on Canadian businesses engaged in commerce with companies in European Union countries, unless adequate privacy legislation is introduced in Canada.

In Canada, a voluntary, private-sector privacy code has already been in place for three years. Under the auspices of the Canadian Standards Association (CSA), from 1992 to 1995 a committee comprising consumer, business, government, and labour representatives developed a code for the protection of personal information. The CSA Code, which is entitled the Model Code for the Protection of Personal Information, sets out ten privacy protection principles with supporting clauses. The CSA Code was approved as a national standard by the Standards Council of Canada and was published in 1996.

Bill C-6 incorporates the CSA Code, which is appended as Schedule 1. To the extent that many of the substantive provisions on privacy protection are located in the Schedule rather than in the main body of the bill, Bill C-6 is unusual in design.

During the hearings of the Standing Committee on Industry on the bill’s predecessor, Bill C-54, and during the report stage debates of Bill C-6 in the House of Commons, discussion focused almost entirely on Part 1 of the bill. The following description of Bill C-6 reflects this focus.

DESCRIPTION

   A. Title (Clause 1)

The new Act would be called the Personal Information Protection and Electronic Documents Act.

Part 1

Part 1 of Bill C-6 contains clauses 2 to 30. The provisions in Part 1 contain definitions, the purpose of Part 1, scope of application, a "purposes limitation" requirement, and the exemptions whereby an organization could collect, use and disclose personal information without the knowledge or consent of the individual concerned. Part 1 also contains provisions regarding access by individuals to their personal information, grounds for refusing an access request, the manner in which a complaint could be brought forward, the Commissioner’s powers of investigation and audit, the Commissioner’s report, court hearing and remedies, other duties and powers of the Commissioner, the regulation and order-making powers of the Governor in Council, "whistleblower protection," an offences and punishment clause, and a transitional clause.

   B. Definitions, Purpose, Application, Schedule 1 References (Clauses 2 to 5)

      1. Definitions (Clause 2)

The most notable definitions in clause 2 are those for "commercial activity," "organization" and "personal information." The definition of "commercial activity" provides that commercial activity means "any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists." The definition of "organization" is inclusive, stating that an organization "includes an association, a partnership, a person and a trade union." "Personal information" is defined as "information about an identifiable individual but [that] does not include the name, title or business address or telephone number of an employee of an organization."

In its 6 December 1999 Report, the Standing Senate Committee on Social Affairs, Science and Technology recommended that Bill C-6 be amended to add a new definition, "personal health information," to clause 2 of the bill. This amendment, together with amendments to clause 30 delaying the application of the bill to personal health information for one year, were passed in the Senate and subsequently accepted by the House of Commons. The bill, as amended, received Royal Assent on 13 April 2000.

      2. Purpose (Clause 3)

Clause 3 states that the purpose of Part 1 is "to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances."

As an interpretive aid to Part 1, clause 3 would appear to require that the rights of individuals to the privacy and security of their information be balanced against the reasonable needs of organizations for information in today’s high-technology and information-based economy.

Clause 3 would also require that the purposes for which information was collected, used or disclosed be limited to those that "a reasonable person would consider appropriate in the circumstances." This "reasonable purposes" limitation is also found in clause 5(3).

      3. Application of Part 1 (Clause 4)

Pursuant to clause 4(1), Part 1 of the bill would apply to organizations in relation to personal information that they collect, use or disclose

  • in the course of commercial activities,(3) or
  • where the personal information is about an employee of the organization, and in connection with the operation of a federal work, undertaking or business.(4)

However, pursuant to clause 4(2), Part 1 would not apply

  • to any government institution to which the Privacy Act applies,

  • to personal information collected, used or disclosed by an individual exclusively for personal or domestic purposes, or

  • to any organization in respect of personal information that it collected, used or disclosed for journalistic, artistic or literary purposes and did not collect, use or disclose for any other purpose.

Clause 4(3) contains a "primacy clause": every provision of Part 1 would take precedence over any subsequently enacted provision of any other Act of Parliament, except where that Act expressly declared that its provision(s) would operate despite the Part 1 provision(s).

4. Provisions Referring to Schedule 1, Including Use of "should";
    the "Reasonable Purposes" Requirement (Clause 5)

Division 1 of Part 1 is entitled "Protection of Personal Information" and contains clauses 5 to 10. The three subclauses of clause 5 provide that:

  • organizations would have to comply with the obligations set out in Schedule 1, subject to the exceptions contained in clauses 6 to 9 (clause 5(1));
  • the use of the word "should" in Schedule 1 indicates a recommendation and would not impose an obligation (clause 5(2));
  • the purposes for which an organization could collect, use or disclose personal information would be limited to those that "a reasonable person would consider appropriate in the circumstances" (clause 5(3)).

As noted earlier, according to clause 5(3) the purposes for which information could be collected, used, or disclosed would be limited to those that were reasonable. The European Union’s Directive on Data Protection and the Quebec Civil Code contain similar "purposes limitation" provisions, with stronger wording.

   C. Exemptions from the Requirement of Knowledge or Consent (Clause 7)

Clause 7 is a key provision of Part 1. This clause sets out the exemptions under which an organization would be allowed to collect, use or disclose personal information without the knowledge or consent of the individual concerned. Clauses 7(1), 7(2) and 7(3) respectively list the exemptions available regarding collection, use, and disclosure.

Each of these three categories of exemption includes an exemption for personal information that is publicly available, as specified by the regulations (clause 7(1)(d), 7(2)(c.1), and 7(3)(h.1) respectively).

      1. Exemptions with Respect to Collection (Clause 7(1))

An organization would be exempted from obtaining consent with respect to the collection of personal information only where:

(a) the collection was clearly in the interests of the individual and consent could not be obtained in a timely way;

(b) it was reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection was reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;

(c) the collection was solely for journalistic, artistic or literary purposes;(5) or

(d) the information was publicly available and was specified by the regulations.

      2. Exemptions with Respect to Use (Clause 7(2))

An exemption with respect to use would only be allowed where:

(a) the organization became aware of information that it had reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that had been, was being or was about to be committed, and the information was to be used for the purpose of investigating that contravention;

(b) the information was used for the purpose of acting in an emergency that threatened the life, health or security of an individual;

(c) the information was used for statistical, or scholarly study, or research, purposes (under certain conditions described below);

(c.1) the information was publicly available and was specified by the regulations; or

(d) the information was collected under clause (1)(a) or (b).

      3. Exemptions with Respect to Disclosure (Clause 7(3))

An exemption with respect to disclosure would only be allowed if disclosure was:

(a) made to legal counsel representing the organization;

(b) for the purpose of collecting a debt owed by the individual to the organization;

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body that had jurisdiction to compel the production of information, or to comply with the rules of the court relating to the production of records;

(c.1) to a government institution or part of a government institution that had requested the information, identified its lawful authority to obtain the information, and indicated that:

(i) it suspected that the information related to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure was requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law, or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure was necessary for the purpose of administering any law of Canada or a province;

(d) made on the initiative of the organization to an investigative body and the organization

(i) had reasonable grounds to believe that the information related to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that had been, was being or was about to be committed, or

(ii) suspected that the information related to national security, the defence of Canada or the conduct of international affairs.

(e) made to a person who needed the information because of an emergency that threatened the life, health or security of an individual and, if the individual the information was about was alive, the organization without delay informed that individual in writing of the disclosure;

(f) for statistical, or scholarly study or research, purposes (under conditions which are described below);

(g) made to an institution whose functions included the conservation of records of historic or archival importance and the disclosure was made for the purpose of such conservation;

(h) made after either 100 years after the creation of the record containing the information, or 20 years after the death of the individual the information was about, whichever date was earlier;

(h.1) of information that was publicly available and was specified by the regulations;

(h.2) made by an investigative body and disclosure was reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or

(i) required by law.

      4. Conditions Attached to the Exemptions for Statistical, or Scholarly
          Study or Research Purposes (Clause 7(2)(c) and 7(3)(f))

An exemption for the use of personal information for "statistical, or scholarly study or research, purposes" would be allowed only if all of the following conditions were met (clause 7(2)(c)):

(i)  the purposes could not be achieved without using the information;

(ii)  the information was used in a manner that would ensure its confidentiality;

(iii) it was impracticable to obtain consent; and

(iv) the organization informed the Commissioner of the use before the information was used.

An exemption for disclosure for statistical, or scholarly study or research, purposes would be allowed only if conditions analogous to (i), (iii) and (iv) above were met (clause 7(3)(f)).

   D. Rules Governing Access to Personal Information (Clauses 8 to 10)

      1. Rules Regarding Time Limits, the Requirement to Retain Information,
          and Costs of Responding to a Complaint (Clauses 8 and 10)

         a. Clause 8

Clause 8 would provide procedural rules respecting an individual’s request for access to his or her personal information. An organization would be required to respond within 30 days of receiving a request (clause 8(3)), but would be able to extend this time limit:

  • for a maximum of 30 days, under certain conditions which are outlined in clause 8(4)(a); or

  • where applicable, for a period necessary to convert the personal information into an alternative format (for example, Braille), pursuant to clause 8(4)(b)).

Under clause 8(4), an organization that extended its time limit would be required to send a notice of extension to the individual, stating the reasons for the extension, and the individual’s right to complain to the Commissioner about the extension. Similarly, an organization that responded within the time limit, but refused a request, would be required to inform the individual in writing, setting out its reasons and any recourse available under Part 1 (i.e., the right to file a complaint with the Commissioner, pursuant to clause 11(1)).

If an organization failed to respond within the time limit it would be deemed to have refused the access request (clause 8(5)).

An organization would be able to respond at a cost to the individual only if the individual had been informed of the approximate cost and had advised the organization that the request was not being withdrawn (clause 8(6)).

Finally, clause 8(8) would require that an organization that possessed information that was the subject of a request would be required to retain it for as long as necessary to allow the individual any recourse available under Part 1.

         b. Clause 10

Clause 10 states the conditions under which an organization would be required to give access in an alternative format, where the individual requesting access had a sensory disability.

      2. When Access Could Be Refused (Clause 9)

Clause 9 sets out the conditions under which an organization would not be required to provide access to personal information. Clause 9(1) would prohibit an organization from providing an individual with access to information that would reveal personal information about a third party, unless the third party information could be, and was, severed from the record. If the third party consented, however, or if the individual needed the information because an individual’s life, health or security was threatened, the third party prohibition would not apply (clause 9(2)).

The Minister of Industry introduced amendments to clause 9 which were passed at report stage: specifically, clause 9(2.1), (2.2), (2.3) and (2.4). Clause 9(2.1) would allow an individual to be informed about, or provided access to, information about

  • any disclosure of information to a government institution, or part of a government institution, under clause 7(3)(c), (c.1)(i) or (ii), or (d); or

  • the existence of any information that the organization had relating to such a disclosure, to a subpoena, warrant or order referred to in clauses 7(3)(c) or to a request by a government institution under clause 7(3)(c.1(i) or (ii) (clause 9(2.1)).

Clause 9(2.2) would require an organization to which clause 9(2.1) applied to notify the institution concerned without delay of the request made by the individual. Under clause 9(2.3), the institution would be required to notify the organization whether or not it objected to the organization’s compliance with the request. The institution could only object if it was of the opinion that the request could reasonably be expected to be injurious to:

  • national security, the defence of Canada or the conduct of international affairs, or
  • the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law, or the gathering of intelligence for the purposes of enforcing any such law.

If an organization was notified that the institution objected to the organization’s compliance with the request, the organization would be required to refuse the request, to notify the Commissioner of the refusal, and not to disclose to the individual

  • any information that the organization had relating to the disclosure,
  • that the organization had notified an institution or the Commissioner, or
  • that the institution had objected to the disclosure (clause 9(2.4)).

Pursuant to clause 9(3), an organization could refuse to give access to personal information in the following circumstances:

  • the information was protected by solicitor-client privilege;
  • to do so would reveal confidential commercial information (unless this information could be severed);
  • to do so could reasonably be expected to threaten the life or security of another individual (unless this information could be severed);
  • the information was collected under clause 7(1)(b); i.e., collection was for purposes related to breach of an agreement or the detection of an offence under federal or provincial law;(6) or
  • the information was generated in the course of a formal dispute resolution process.

None of the grounds for refusal under clause 9(3) would be permitted, however, if the individual needed the information because an individual’s life, health or security was threatened.

   E. Filing and Investigation of Complaints, Commissioner's Report
       (Clauses 11, 12 and 13)

      1. Filing of a Complaint (Clause 11)

Under clause 11, a complaint could be brought forward in two ways: by an individual who would file a complaint with the Commissioner, or by the Commissioner on his or her own initiative.

An individual would be able to file a complaint against an organization either for contravening a provision of Division 1 or for not following a recommendation set out in Schedule 1(7) (clause 11(1)). The Commissioner would be able to initiate a complaint only if satisfied that there were reasonable grounds to investigate a matter under Part 1 (clause 11(2)).

Clause 11(3) would require a complaint resulting from a refusal to grant an access request to be filed within six months, or any longer period that the Commissioner allowed. Pursuant to clause 11(4), the Commissioner would be required to give notice of a complaint to the organization.

      2. Investigation of a Complaint (Clause 12)

The Commissioner would be required to investigate a complaint, and for this purpose would be authorized to do as follows, pursuant to clause 12(1):

  • summon and enforce the appearance of persons and compel them to give evidence on oath and produce records and things, to the same extent as a superior court of record;

  • administer oaths;
  • receive and accept evidence and other information, whether or not it would be admissible in a court of law;

  • at any reasonable time, enter any premises, other than a dwelling-house, occupied by the organization;

  • converse with any person in the premises and carry out any inquiries the Commissioner saw fit; and

  • examine or obtain copies of or extracts from records found in the premises that contained any matter relevant to the investigation.

Pursuant to clause 12(2), the Commissioner would also be authorized to attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation. In addition, the Commissioner would be authorized to delegate any of the powers set out in subclauses (1) or (2), (clause 12(3)).

      3. Commissioner’s Report (Clause 13)

Within one year of the filing or initiating of a complaint, the Commissioner would be required to prepare a report, and send it to both the complainant and the organization. According to clause 13(1), the report would contain:

  • the Commissioner’s findings and recommendations;

  • any settlement reached by the parties;

  • if appropriate, a request that the organization provide the Commissioner with notice of any action taken or proposed to implement the recommendations, or provide reasons why such action was not taken; and

  • the recourse available under clause 14 (court hearing application).

The Commissioner would not be required to prepare a report if he or she were satisfied that:

  • the complainant ought first to have exhausted grievance or review procedures;

  • the complaint could be more appropriately dealt with by means of a procedure provided under other federal or provincial laws;

  • such time had elapsed that a report would not serve a useful purpose; or

  • the complaint was trivial, frivolous or vexatious or had been made in bad faith.

If a report was not prepared, the Commissioner would be required to inform the complainant and the organization, and provide reasons (clause 13(2)).

   F. Court Hearing and Remedies (Clauses 14 to 17)

A complainant could, after receiving the Commissioner’s report, apply to the Federal Court – Trial Division for a hearing in respect of any matter reported by the Commissioner and that was referred to in any of the clauses listed in clause 14(1).(8)

In respect of a complaint that the Commissioner did not initiate, he or she would be authorized to:

  • apply to the Court for a hearing, with the consent of the complainant;

  • appear before the court on behalf of a complainant who had applied for a hearing; or

  • with leave of the Court, appear as a party to any hearing applied for (clause 15).

The Court would be able, in addition to any other remedies it could give:

  • to order an organization to correct its practices in order to comply with clauses 5 to 10;

  • to order an organization to publish a notice of any action taken or proposed for correcting its practices; and

  • to award damages to the complainant, including damages for any humiliation suffered (clause 16 (1)).

Clause 17(2) would require the Court, in any proceeding pursuant to clause 14 or 15, to take every reasonable precaution, including, when appropriate, receiving representations ex parte and conducting hearings in camera, to avoid the disclosure by the Court or any other person of any information or other material that the organization would be authorized to refuse to disclose if it were requested under clause 4.9 of Schedule 1.

   G. Other Duties and Powers of the Commissioner
        (Clauses 18 to 20 and 23 to 26)

      1. Audits (Clauses 18 and 19)

Under clause 18(1), on reasonable notice and at any reasonable time, the Commissioner would be able to audit the personal information practices of an organization if he or she had reasonable grounds to believe that it

  • was contravening a provision of Division 1, or
  • was not following a recommendation set out in Schedule 1.

The Commissioner’s powers for the purpose of conducting an audit would be identical to those for conducting an investigation. Specifically, the Commissioner would be able to compel and receive evidence and administer oaths, enter an organization’s premises, carry out inquiries, and examine and obtain copies of records containing matters relevant to the audit (clause 18(1)). The Commissioner would also be authorized to delegate any of these powers (clause 18(2)).

The Commissioner would be required to provide a report to the audited organization with the findings of the audit and any recommendations (clause 19(1)). Clause 19(2) is particularly notable, in that it would provide the Commissioner with discretion to include an audit report in his or her annual report to Parliament.

      2. The Commissioner Could Make Public the Personal Information Management
          Practices of an Organization (Clause 20(2))

Clause 20(1) would protect confidentiality in respect of an audit or investigation, by prohibiting the Commissioner or any person acting on the Commissioner’s behalf from disclosing information arising out of the performance of any of the Commissioner’s powers or duties. However, subclauses (2) to (5) would allow for a number of exceptions; the most notable of these (subclause (2)) would allow the Commissioner, where he or she considered it to be in the public interest, to make public any information relating to the personal information management practices of an organization.

      3. Consultation with Provincial Authorities (Clause 23)

Clause 23 would provide authority to the Commissioner to consult with provincial authorities. Specifically, the Commissioner would be authorized to consult and enter into agreements with any person who, under provincial legislation substantially similar to Part 1, had similar powers and duties. The Commissioner would also be authorized to co-ordinate activities, undertake and publish research, and develop model contracts for the protection of personal information that was collected, used or disclosed interprovincially or internationally.

      4. Commissioner’s Public Education Mandate (Clause 24)

Clause 24 would give the Commissioner a public education mandate whereby he or she would be required to develop and conduct information programs to foster public understanding of the purposes of Part 1, undertake and publish research related to the protection of personal information, encourage organizations to develop policies and practices including codes of practice to comply with the provisions of Division 1, and promote the purposes of Part 1.

      5. Annual Report (Clause 25)

Clause 25 would require the Commissioner to submit an annual report to Parliament concerning the application of Part 1, the extent to which the provinces had enacted substantially similar legislation, and the application of such legislation.

   H. Exclusion of Application of Part 1 within a Province (Clauses 30 and 26(2)(b))

Clause 30(1) would provide that Part 1 would not apply to "any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration." Clause 30(2) would provide that the exclusion of the application of Part 1 within a province would cease to have effect three years after clause 30 came into force.

Otherwise stated, under clause 30, Part 1 would initially apply to the federally regulated private sector (for example, the telecommunications, broadcasting, banking, and airline industries) and to federal Crown corporations operating in these areas. Part 1 would also immediately apply to interprovincial and international flows of personal information for commercial purposes. Three years after coming into force, Part 1 would apply more broadly, to cover private sector commercial activities within the provinces.

Under clause 27(2)(b), however, the Governor in Council would have the power to exempt an organization, class of organizations, activity or class of activities from the application of Part 1, if the Governor in Council were satisfied that a province had adopted legislation that was substantially similar to Part 1 which applied to the organization, class of organizations, activity or class of activities in question. This exemption would be limited, however, to the collection, use or disclosure of personal information within the province.

   I. Other Part 1 Provisions

      1. Regulation-making Power of the Governor in Council (Clause 26(1))

Under clause 26(1), the Governor in Council would be empowered to make regulations:

  • specifying, by name or by class, what would be considered a government institution or part of a government institution, and what would be considered an investigative body;

  • specifying information or classes of information that are "publicly available" for the purposes of clause 7(1)(d), 2(c.1) or (3)(h.1); and

  • for carrying out the purposes and provisions of Part 1.

      2. "Whistleblower" Protection (Clauses 27 and 27.1)

A person who had reasonable grounds to believe that another person had contravened or intended to contravene, a provision of Division 1 would be protected, provided he or she notified the Commissioner and requested that his or her identity be kept confidential (clause 27). Where the Commissioner provided an assurance of confidentiality, the whistleblower’s identity would not have to be disclosed.

Clause 27.1 would provide protection specifically for employees who, acting in good faith and on the basis of reasonable belief:

  • disclosed to the Commissioner that the employer, or any other person, had contravened or intended to contravene a provision of Division 1;

  • refused or stated an intention of refusing to do anything that was a contravention of a provision of Division 1; or

  • had done or stated an intention of doing anything that was required to be done in order to prevent contravention of a provision of Division 1, or, where the employer believed that the employee would do any of the above actions.

The protection provided would be against dismissal, suspension, demotion, discipline, harassment, disadvantage or other denial of a benefit of employment by the employer.

Under clause 27.1, the definition of "employee" would include an independent contractor. Clause 28 would provide for a fine for any person who knowingly took action against a whistleblowing employee.

      3. Fines (Clause 28)

Clause 28 would provide for a fine as the penalty for three types of contravention under Part 1, specifically in respect of every person who knowingly:

  • contravened the requirement to retain information under clause 8(8);
  • took action against a whistleblowing employee, contrary to clause 27.1; or
  • obstructed the Commissioner or the Commissioner’s delegate in the investigation of a complaint or in conducting an audit.

The amount of the fine would be limited to $10,000 for a summary conviction offence, and $100,000 for an indictable offence.

      4. Parliamentary Review (Clause 29)

Clause 29 would provide for a review of Part 1 by Parliament every five years.

   J. One-Year Exemption for "Personal Health Information" (Clause 30)

In its Report to the Senate on 6 December 1999, the Standing Senate Committee on Social Affairs, Science and Technology recommended that clause 30 of the bill be amended. A new clause, clause 30(1.1), would provide that Part 1 would not apply to any organization in respect of personal health information that it collected, used or disclosed. Under a second new clause, clause 30(2.1), clause 30(1.1) would cease to have effect one year after the day clause 30 came into force.

These amendments were passed by the Senate and subsequently accepted by the House of Commons. Bill C-6 received Royal Assent on 13 April 2000. Pursuant to an order-in-council dated 26 April 2000, Part 1 of the bill (which includes clause 30) will come into force on 1 January 2001. This means that, under clause 30(2.1), the "exemption" for personal health information will expire on 1 January 2002.

Schedule 1

The full title of Schedule 1 is "Principles Set Out in the National Standard of Canada entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96." This code is commonly referred to as the CSA Code. Schedule 1 contains ten overarching principles (Accountability; Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance), each of which is supported by a number of more specific clauses. Schedule 1 was not amended at report stage.

Some of the provisions in Schedule 1 contain language not typically found in legislation. While most of the clauses in the Schedule contain the word "shall," thereby imposing an obligation, other clauses are merely explanatory, while still others contain the word "should," reflecting the fact that the CSA Code was originally drafted to provide voluntary, rather than legally mandated, standards. The provisions containing "should" or wording such as " organizations are encouraged to" were intended to provide "best practices" guidance.

It is noted, however, that clause 11(1) of Part 1 would allow an individual to file a complaint against an organization for contravening a recommendation set out in Schedule 1. Similarly, clause 18(1) of Part 1 would authorize the Commissioner to audit an organization upon reasonable belief that the organization was not following a recommendation in Schedule 1.

It is also noted that a number of the clauses in Part 1 would override, modify, or provide exceptions to some of the clauses in Schedule 1. The most notable examples of legislative override in Part 1 concern Principles 3 (Consent) and 9 (Individual Access), both of which are followed by explanatory notes. However, clause 7(1), (2), (3) and clause 9(1) and (3) of Part 1 would provide exemptions to replace those set out in the explanatory notes.

The statements that head each of the ten principles in Schedule 1 are provided below; the clauses and explanatory notes are not included.

      1. Accountability

Principle 1 states that an organization would be responsible for personal information under its control and would have to designate an individual or individuals who were accountable for the organization’s compliance with the following principles.

It is noted that clause 6 of Part 1 would elaborate on Principle 1 to say that, by designating an individual under Principle 1, an organization would not be relieved of complying with the obligations set out in Schedule 1.

      2. Identifying Principles

The purposes for which personal information was collected would have to be identified by the organization at or before the time the information was collected.

      3. Consent

The knowledge and consent of the individual would be required for the collection, use or disclosure of personal information, except where this was inappropriate.

      4. Limiting Collection

The collection of personal information would have to be limited to that necessary for the purposes identified by the organization. Information would be required to be collected by fair and lawful means.

      5. Limiting Use, Disclosure and Retention

Principle 5 states that personal information could not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. The Principle also states that personal information could be retained only as long as was necessary for fulfilment of those purposes.

It is noted that the statement above referring to use or disclosure would be subject to override by clause 7(4) and (5) of Part 1, whereby an organization could use or disclose personal information for purposes other than those for which it was collected, and which are set out in clause 7(2) and (3).

      6. Accuracy

Personal information would have to be as accurate, complete and up-to-date as was necessary for the purposes for which it was to be used.

      7. Safeguards

Personal information would have to be protected by security safeguards appropriate to the sensitivity of the information.

      8. Openness

An organization would be required to make specific information about its policies and practices relating to the management of personal information readily available to individuals.

      9. Individual Access

Upon request, an individual would have to be informed of the existence, use and disclosure of his or her personal information and be given access to that information. The individual would have the right to challenge its accuracy and completeness and have it amended as appropriate.

      10. Challenging Compliance

An individual would be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

Parts 2 to 5

According to clause 32, the stated purpose of Part 2 of Bill C-6 is to provide for the use of electronic alternatives where federal laws contemplate the use of paper to record or communicate information or transactions. This Part would permit federal departments, agencies or other bodies to communicate and deliver services electronically. Enabling and interpretive provisions under Part 2 would introduce a degree of equivalency between paper and electronic formats.

A key component of Part 2 is the concept of "secure electronic signature," whereby federal government departments would ensure the integrity and reliability of electronic transmissions. Under the proposed legislation, individual government departments would be able to opt into the legislative scheme when they had developed the appropriate technological and operational capacity to do so. Clause 48(1) of Part 2 would authorize the Governor in Council, on recommendation of the Treasury Board, to make regulations prescribing technologies or processes for defining "secure electronic signature." Other provisions in Part 2 would assist the courts to recognize secure electronic signatures and how they would be used in relation to electronic documents.

A related element of the proposed legislation concerns electronic documents used as evidence in legal proceedings. Usually, evidence in the form of an original document is required to satisfy a court that the terms and conditions of an agreement have not been altered since it was signed. This requirement is known as the "best evidence" rule. In the case of electronic documents, however, this rule is difficult to satisfy because the original cannot be distinguished from an amended document and because the document is not authenticated by hand-written signatures. The federal government would, therefore, require the use of secure electronic signatures for electronic documents whenever the law required original documents or statements of truth.

Part 3 of the bill would provide amendments to the Canada Evidence Act to give notices and Acts published electronically by the Queen’s Printer the same legal authority as notices and Acts published on paper. Part 3 also contains provisions to clarify how the courts would assess the integrity of an electronic document introduced as evidence.

Part 4 would amend the Statutory Instruments Act to allow an electronic version of the Canada Gazette to have official status. Part 5 would authorize the publication of revisions of the statutes and regulations of Canada, as well as the consolidated version of the statutes and regulations, in either print or electronic form. The amendments in Parts 4 and 5 would be brought into force when the appropriate technology was in place for ensuring the integrity of the electronic versions.

Pursuant to an order-in-council dated 26 April 2000, Parts 2, 3 and 4 shall come into force on 1 May 2000.

COMMENTARY: COMMITTEE STUDY OF BILL C-54 (PREDECESSOR BILL)

Bill C-6 was preceded by Bill C-54, of the same title. Bill C-54 was introduced in Parliament on 1 October 1998 and was referred to the House of Commons Standing Committee on Industry after second reading. A number of amendments were made to Bill C-54 at committee stage. Bill C-54 did not progress beyond report stage in the 1st session of the 36th Parliament prior to prorogation on 18 September 1999. Prior to the report stage amendments in the 2nd session, Bill C-6 was identical in content to Bill C-54 as amended by the Standing Committee on Industry. The purpose of this commentary is to note some of the key amendments to Bill C-54 adopted by that committee.

The Industry Committee held hearings on Bill C-54 beginning on 1 December 1998 and ending on 18 March 1999. Sixty groups or individuals appeared before the Committee, including the Minister of Industry, the Minister of Justice, the federal Privacy Commissioner, and two provincial privacy commissioners. Witnesses included representatives from public interest groups, historical research and archival associations, the Canadian Standards Association, the Canadian Bar Association, privacy and constitutional experts, journalists’ and writers’ groups, and health sector groups. Witnesses from the business sector included representatives from the banking, insurance, credit reporting, direct marketing, telecommunications, broadcasting, and information technology industries, and employer and employee associations.

During the Committee’s clause-by-clause review of Bill C-54, 39 amendments were carried. The Committee presented the report of its amendments to the House of Commons on 12 April 1999. No significant amendments were made to provisions in Parts 2 to 5 of Bill C-54, and no amendments were made to Schedule 1. However, a number of significant substantive amendments were made in committee to provisions in Part 1; the most notable of these are set out below.

   A. Definitions

  • Prior to the Committee’s review, Bill C-54 did not contain a definition of "commercial activity." A proposed amendment (clause 2(1)) to provide a definition was carried, though some Committee members expressed the view that the proposed definition was too vague to provide any useful guidance in determining which activities would or would not be considered "commercial." (The definition of "commercial activity" in Bill C-6 was subsequently amended at report stage.)

  • Prior to Committee review, the definition of "personal information" in Bill C-54 read as follows: "personal information means information about an identifiable individual that is recorded in any form." The definition was amended to read:

personal information means information about an identifiable individual but does not include the name, title or business address or telephone number of an employee of an organization. (clause 2(1))

The deletion of the words "that is recorded in any form" could be interpreted as having the effect of broadening the scope of "personal information" to include information that was not in any recorded form, such as DNA or blood samples.

   B. Exemptions

  • Prior to committee review of Bill C-54, clause 7(1)(b) provided an exemption from the requirement to obtain an individual’s consent for the collection of personal information if:

it is reasonable to expect that the collection from the individual would compromise the accuracy of the information or defeat the purpose or prejudice the use for which the information is collected.

After some witnesses had submitted that this broad exemption left a "gaping hole" in the legislation, clause 7(1)(b) was amended by the Committee and its scope narrowed. Under the amended provision, an exemption with respect to collection would be available if:

it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province.

As amended, clause 7(1)(b) would provide an exemption where it was necessary to collect personal information without informing the individual concerned, most notably in the circumstance of fraudulent activity. Witnesses representing insurance groups expressed concern about the effect that the amendment to this clause and other related clauses could have on their ability to combat insurance fraud.

  • An exemption from the requirement for consent in respect of the collection, use, or disclosure of personal information that was "publicly available and is specified by the regulations" was adopted (clause 7(1)(d), 7(2)(c.1), 7(3)(h.1))

  • With regard to the exemptions for use and for disclosure for statistical, or scholarly study or research, purposes, an amendment provided a new condition whereby the exemption would be available only if the purposes could not be achieved without using (disclosing) the information, pursuant to clause 7(2)(c) (clause 7(3)(f)). (Subsequently, clauses 7(2)(a) and 7(3)(d) in Bill  C-6 were amended, and clauses 7(3)(c.1) and 7(3)(h.2) in Bill C-6 were added, at report stage.)

   C. Deletions

  • Prior to its deletion by the Industry Committee, a provision was included in Bill C-54 that would have enabled the Minister of Industry, with Governor in Council approval, to delegate any of the Privacy Commissioner’s powers or duties under Part 1 to any provincial authorities acting under provincial legislation substantially similar to Part 1.

  • Prior to its deletion by the Industry Committee, a provision was included in Bill C-54 that would have enabled the Governor in Council to amend Schedule 1 to reflect changes to the CSA Code. Given that Schedule 1 is part of the bill, as a result of this deletion changes to the Schedule would need to be made by Parliament.

   D. Other

  • A primacy clause (clause 4(3)) was adopted in Bill C-54 to provide that "Every provision of this Part applies despite any other Act of Parliament, unless that Act expressly declares that it operates despite that provision." (Clause 4(3) in Bill C-6 was subsequently amended at report stage.)

  • Schedule 1 would require the collection of personal information to be limited to that necessary for the purposes identified by the organization (clause 4.4). However, the Schedule does not limit the purposes for collecting, using or disclosing information.(9) A purposes limitation clause (clause 5(3)) was added to specify that an organization would be able to collect, use or disclose personal information "only for the purposes that a reasonable person would consider are appropriate in the circumstances."

  • Clause 27 would now provide "whistleblowing" confidentiality protection for an individual who alerted the Privacy Commissioner to a contravention of Part 1 or of Schedule 1, while clause 27.1 would provide this protection for employees.

  • The Commissioner’s "search and seizure" powers (clauses 12(1) and 18(1)) relate to the investigation of a complaint or the audit of the personal information management practices of an organization. These powers were not amended; however, they were the subject of considerable discussion at committee stage and are noted here for this reason.


(1) The full title of Bill C-6 is "An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act."

* The bill was originally introduced in the first session of the 36th Parliament as Bill C-54. Bill C-54, introduced in the House of Commons on 1 October 1998, was referred to the Standing Committee on Industry after second reading. The Committee held hearings commencing 1 December 1998 and ending 18 March 1999. On 12 April, the bill was reported back to the House of Commons, with 39 amendments. By motion adopted 14 October 1999, the House of Commons provided for the reintroduction, in the second session, of legislation that had not received Royal Assent.

(2) Parts 3, 4, and 5 would respectively provide amendments to the Canada Evidence Act, the Statutory Instruments Act, and the Statute Revision Act. Part 6 contains a coming into force provision.

(3) As described further below, Part 1 would apply immediately to interprovincial or international commercial activities, but would not apply to commercial activities exclusively within a province for the first three years after the bill came into force (clause 30). If a province enacted legislation "substantially similar" to Part 1, the Governor in Council would be empowered to exempt organizations or activities within that province (clause 26(2)(b)).

(4) The expression "federal work, undertaking or business" is defined in clause 2 and is identical to the definition provided in section 2 of the Canada Labour Code.

(5) As noted earlier, paragraph 4(2)(c) would provide an exemption from the application of Part 1 for "journalistic, artistic or literary purposes." The exemption for the collection of personal information in clause 7(1)(c) would ensure that an organization that collected information for, for example, journalistic purposes, and subsequently used this information with consent for a non-journalistic purpose would not be in breach of the bill in respect of the original collection.

(6) If the organization were to refuse access on this basis it would be required to notify the Commissioner (clause 9(5)).

(7) Therefore, an individual would be able to file a complaint concerning the contravention of a "should" provision in Schedule 1, notwithstanding that clause 5(2) provides that the word "should" in Schedule 1 would not impose an obligation.

(8) Clause 14(1) lists the clauses pursuant to which a court application could be made. The list includes the following clauses: clauses 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7, and 4.8 of Schedule 1, clauses 4.3, 4.5 and 4.9 of Schedule 1 as modified by Division 1, and subclauses 5(3), 8(6) and (7) and clause 10 of Division 1. Any of the following issues would therefore provide grounds for a court application:

  1. whether an organization failed to provide a comparable level of protection while the personal information was being processed by a third party;

  2. whether an organization properly identified before collection the purposes for which the personal information was collected;

  3. whether the organization refused to provide a person with a service because the person would not give the organization unnecessary personal information;

  4. whether an organization collected personal information beyond what was necessary;

  5. whether the personal information was as accurate, complete, and up-to-date as necessary;

  6. whether the personal information was protected by appropriate safeguards;

  7. whether an organization made available specific information about its policies and practices;

  8. whether consent was obtained for the collection, use, or disclosure of personal information;

  9. whether the use, disclosure, or retention of the personal information was unauthorized;

  10. whether a person was advised of the existence, use, and disclosure of his or her personal information and given access to it;

  11. the amount the organization charged the requester for providing his or her personal information;

  12. the refusal to grant access;

  13. whether the personal information was collected, used or disclosed for purposes that a reasonable person would consider appropriate in the circumstances;

  14. whether information was retained for as long as necessary for the complaint to be resolved; or

  15. failure to provide personal information in an alternate format for a requester with a disability.

(9) Clause 4.3.3 provides a minor exception. This clause would prohibit an organization from requiring an individual’s consent for the collection, use or disclosure of information as a condition of the supply of a product or service, beyond that necessary to fulfil explicitly specified, and legitimate purposes.