This document was prepared by the staff of the Parliamentary
Research Branch to provide Canadian Parliamentarians with plain language background and
analysis of proposed government legislation. Legislative summaries are not government
documents. They have no official legal status and do not constitute legal advice or
opinion. Please note, the Legislative Summary describes the bill as of the date shown at
the beginning of the document. For the latest published version of the bill, please
consult the parliamentary internet site at www.parl.gc.ca.
LS-344E
BILL C-6: PERSONAL INFORMATION PROTECTION
AND ELECTRONIC DOCUMENTS ACT
Prepared by:
John Craig
Law and Government Division
15 October 1999
Revised 15 May 2000
LEGISLATIVE HISTORY OF
BILL C-6
HOUSE
OF COMMONS |
SENATE |
| Bill
Stage |
Date |
Bill
Stage |
Date |
| First Reading: |
15
October 1999 |
First Reading: |
2
November 1999 |
| Second Reading: |
15
October 1999 |
Second Reading: |
6
December 1999 |
| Committee Report: |
15
October 1999 |
Committee Report: |
7
December 1999 |
| Report Stage: |
20
October 1999 |
Report Stage: |
7
December 1999 |
| Third Reading: |
26
October 1999 |
Third Reading: |
9
December 1999 |
Message sent to House of Commons: 9 December 1999
Concurrence in Senate amendments: 4 April 2000
Royal Assent: 13 April 2000
Statutes of Canada 2000, c.5
N.B. Any substantive changes in this Legislative Summary which have
been made since the preceding issue are indicated in bold print.
|
| |
|
|
TABLE OF CONTENTS
BACKGROUND
DESCRIPTION
A. Title (Clause 1)
Part 1
B.
Definitions, Purpose, Application, Schedule 1 References (Clauses 2 to 5)
1. Definitions (Clause 2)
2. Purpose (Clause 3)
3. Application of Part 1
(Clause 4)
4.
Provisions Referring to Schedule 1, Including Use of "should";
the
"Reasonable Purposes" Requirement (Clause 5)
C.
Exemptions from the Requirement of Knowledge or Consent (Clause 7)
1.
Exemptions with Respect to Collection (Clause 7(1))
2. Exemptions with
Respect to Use (Clause 7(2))
3.
Exemptions with Respect to Disclosure (Clause 7(3))
4.
Conditions Attached to the Exemptions for Statistical, or Scholarly
Study
or Research Purposes (Clause 7(2)(c) and 7(3)(f))
D.
Rules Governing Access to Personal Information (Clauses 8 to 10)
1.
Rules Regarding Time Limits, the Requirement to Retain Information,
and
Costs of Responding to a Complaint (Clauses 8 and 10)
a. Clause 8
b. Clause 10
2. When Access Could Be
Refused (Clause 9)
E.
Filing and Investigation of Complaints, Commissioner’s Report
(Clauses
11, 12 and 13)
1. Filing of a Complaint
(Clause 11)
2. Investigation of a
Complaint (Clause 12)
3. Commissioner’s
Report (Clause 13)
F. Court Hearing
and Remedies (Clauses 14 to 17)
G. Other Duties and
Powers of the Commissioner
(Clauses 18 to 20
and 23 to 26)
1. Audits (Clauses 18 and 19)
2.
The Commissioner Could Make Public the Personal Information Management
Practices
of an Organization (Clause 20(2))
3.
Consultation with Provincial Authorities (Clause 23)
4.
Commissioner’s Public Education Mandate (Clause 24)
5. Annual Report (Clause 25)
H.
Exclusion of Application of Part 1 within a Province (Clauses 30 and 26(2)(b))
I.
Other Part 1 Provisions
1.
Regulation-making Power of the Governor in Council (Clause 26(1))
2.
"Whistleblower" Protection (Clauses 27 and 27.1)
3. Fines (Clause 28)
4. Parliamentary Review
(Clause 29)
J. One-Year Exemption for "Personal Health
Information" (Clause 30)
Schedule 1
1. Accountability
2. Identifying Principles
3.
Consent
4. Limiting Collection
5. Limiting Use,
Disclosure and Retention
6.
Accuracy
7. Safeguards
8.
Openness
9. Individual Access
10. Challenging Compliance
Parts 2 to 5
COMMENTARY:
COMMITTEE STUDY OF BILL C-54 (PREDECESSOR BILL)
A. Definitions
B. Exemptions
C. Deletions
D. Other
BILL C-6: PERSONAL INFORMATION
PROTECTION
AND ELECTRONIC DOCUMENTS ACT(1)*
BACKGROUND
Bill C-6 would introduce measures to
protect personal information in the private sector, create an electronic alternative for
doing business with the federal government, and clarify how the courts would assess the
reliability of electronic records used as evidence. The bill passed report stage on
20 October 1999 and is currently at third reading in the House of Commons.
Bill C-6 passed third reading in the
House of Commons on 26 October 1999, and received first reading in the Senate in
early November. The subject matter of the bill was subsequently referred to the Standing
Senate Committee on Social Affairs, Science and Technology, which held hearings in late
November and early December. The Committee’s hearings focused largely on concerns
regarding the application of Part 1 of the bill to personal health information. The
Committee recommended amendments that would delay the application of the bill to personal
health information for one year following the coming into force of Part 1. The
purpose of these amendments was to provide health care stakeholders with an opportunity to
formulate legislative measures appropriate to the special nature of personal health
information. These amendments passed third reading in the Senate on 9 December, after
which the amended bill was returned to the House of Commons for consideration. The Senate
amendments were subsequently accepted by the House of Commons, and the bill received Royal
Assent on 13 April 2000.
The Governor in Council, on 26 April
2000, fixed the following dates for the coming into force of Parts 1 to 4 of the
newly passed Act:
(a) 1 May 2000 as the day on which
Parts 2, 3 and 4 shall come into force; and
(b) 1 January 2001 as the day on which
Part 1 shall come into force.
In light of the Senate amendments and the
order-in-council, the new Act will not apply to personal health information until
1 January 2002.
Bill C-6 is a one of several components of
the Canadian Electronic Commerce Strategy announced by Prime Minister Chrétien on 22
September 1998, which is aimed at "recreating in cyberspace the same expectations of
trust, confidence and reliability that now exist in everyday commerce." The
government’s stated goal is for Canada to become a world leader in electronic
commerce by the year 2000; this bill is one of the measures to be used to achieve this
goal.
The bill contains six parts, the most prominent of which
is Part 1, "Protection of Personal Information in the Private Sector." Together
with Schedule 1, which contains the CSA Model Code, Part 1 would establish rules governing
the collection, use and disclosure of, as well as access to, personal information in the
private sector. Part 2, entitled "Electronic Documents," would provide for the
use of electronic alternatives where federal laws now contemplate the use of paper to
record or communicate information. The other parts would provide amendments to other
federal statutes to facilitate the use and legal recognition of electronic documents.(2)
Currently, no federal legislation protects
personal information in the private sector. The federal Privacy Act provides such
protection to the public sector only. Part 1 of Bill C-6 is designed to fill this gap. The
Province of Quebec is the only jurisdiction in Canada, and indeed in North America, to
have enacted legislation applying to data protection in the private sector. Quebec’s Act
Respecting the Protection of Personal Information in the Private Sector, also known as
Bill 68, came into force in 1994.
Part 1 of Bill C-6 also responds to recent
privacy initiatives in Europe. In 1995, the European Union passed its Directive on Data
Protection which introduces privacy protection applying to the private sector. The
Directive required member countries to adopt national data protection laws that meet the
standards of the Directive within three years (by 1998). Notably, Article 25 of the
Directive prohibits member countries from transferring personal information to a
non-member country or to a business located in a non-member country, if the non-member
country’s laws do not provide adequate protection for personal information. The
Directive could, therefore, have a negative impact on Canadian businesses engaged in
commerce with companies in European Union countries, unless adequate privacy legislation
is introduced in Canada.
In Canada, a voluntary, private-sector
privacy code has already been in place for three years. Under the auspices of the Canadian
Standards Association (CSA), from 1992 to 1995 a committee comprising consumer, business,
government, and labour representatives developed a code for the protection of personal
information. The CSA Code, which is entitled the Model Code for the Protection of
Personal Information, sets out ten privacy protection principles with supporting
clauses. The CSA Code was approved as a national standard by the Standards Council of
Canada and was published in 1996.
Bill C-6 incorporates the CSA Code, which
is appended as Schedule 1. To the extent that many of the substantive provisions on
privacy protection are located in the Schedule rather than in the main body of the bill,
Bill C-6 is unusual in design.
During the hearings of the Standing
Committee on Industry on the bill’s predecessor, Bill C-54, and during the report
stage debates of Bill C-6 in the House of Commons, discussion focused almost entirely on
Part 1 of the bill. The following description of Bill C-6 reflects this focus.
DESCRIPTION
A. Title (Clause 1)
The new Act would be called the Personal
Information Protection and Electronic Documents Act.
Part 1
Part 1 of Bill C-6 contains clauses 2 to
30. The provisions in Part 1 contain definitions, the purpose of Part 1, scope of
application, a "purposes limitation" requirement, and the exemptions whereby an
organization could collect, use and disclose personal information without the knowledge or
consent of the individual concerned. Part 1 also contains provisions regarding access by
individuals to their personal information, grounds for refusing an access request, the
manner in which a complaint could be brought forward, the Commissioner’s powers of
investigation and audit, the Commissioner’s report, court hearing and remedies, other
duties and powers of the Commissioner, the regulation and order-making powers of the
Governor in Council, "whistleblower protection," an offences and punishment
clause, and a transitional clause.
B.
Definitions, Purpose, Application, Schedule 1 References (Clauses 2 to 5)
1.
Definitions (Clause 2)
The most notable definitions in clause 2
are those for "commercial activity," "organization" and "personal
information." The definition of "commercial activity" provides that
commercial activity means "any particular transaction, act or conduct or any regular
course of conduct that is of a commercial character, including the selling, bartering or
leasing of donor, membership or other fundraising lists." The definition of
"organization" is inclusive, stating that an organization "includes an
association, a partnership, a person and a trade union." "Personal
information" is defined as "information about an identifiable individual but
[that] does not include the name, title or business address or telephone number of an
employee of an organization."
In its 6 December 1999 Report, the
Standing Senate Committee on Social Affairs, Science and Technology recommended that Bill
C-6 be amended to add a new definition, "personal health information," to clause
2 of the bill. This amendment, together with amendments to clause 30 delaying the
application of the bill to personal health information for one year, were passed in the
Senate and subsequently accepted by the House of Commons. The bill, as amended, received
Royal Assent on 13 April 2000.
2. Purpose
(Clause 3)
Clause 3 states that the purpose of Part 1
is "to establish, in an era in which technology increasingly facilitates the
circulation and exchange of information, rules to govern the collection, use and
disclosure of personal information in a manner that recognizes the right of privacy of
individuals with respect to their personal information and the need of organizations to
collect, use and disclose personal information for purposes that a reasonable person would
consider appropriate in the circumstances."
As an interpretive aid to Part 1, clause 3
would appear to require that the rights of individuals to the privacy and security of
their information be balanced against the reasonable needs of organizations for
information in today’s high-technology and information-based economy.
Clause 3 would also require that the
purposes for which information was collected, used or disclosed be limited to those that
"a reasonable person would consider appropriate in the circumstances." This
"reasonable purposes" limitation is also found in clause 5(3).
3. Application of Part 1 (Clause 4)
Pursuant to clause 4(1), Part 1 of the
bill would apply to organizations in relation to personal information that they collect,
use or disclose
- in the course of commercial activities,(3) or
- where the personal information is about an employee of the
organization, and in connection with the operation of a federal work, undertaking or
business.(4)
However, pursuant to clause 4(2), Part 1
would not apply
to any organization in
respect of personal information that it collected, used or disclosed for journalistic,
artistic or literary purposes and did not collect, use or disclose for any other purpose.
Clause 4(3) contains a "primacy
clause": every provision of Part 1 would take precedence over any subsequently
enacted provision of any other Act of Parliament, except where that Act expressly declared
that its provision(s) would operate despite the Part 1 provision(s).
4.
Provisions Referring to Schedule 1, Including Use of "should";
the
"Reasonable Purposes" Requirement (Clause 5)
Division 1 of Part 1 is entitled
"Protection of Personal Information" and contains clauses 5 to 10. The three
subclauses of clause 5 provide that:
- organizations would have to comply with the obligations set
out in Schedule 1, subject to the exceptions contained in clauses 6 to 9 (clause 5(1));
- the use of the word "should" in Schedule 1
indicates a recommendation and would not impose an obligation (clause 5(2));
- the purposes for which an organization could collect, use
or disclose personal information would be limited to those that "a reasonable person
would consider appropriate in the circumstances" (clause 5(3)).
As noted earlier, according to clause 5(3)
the purposes for which information could be collected, used, or disclosed would be limited
to those that were reasonable. The European Union’s Directive on Data Protection
and the Quebec Civil Code contain similar "purposes limitation"
provisions, with stronger wording.
C.
Exemptions from the Requirement of Knowledge or Consent (Clause 7)
Clause 7 is a key provision of Part 1.
This clause sets out the exemptions under which an organization would be allowed to
collect, use or disclose personal information without the knowledge or consent of the
individual concerned. Clauses 7(1), 7(2) and 7(3) respectively list the exemptions
available regarding collection, use, and disclosure.
Each of these three categories of
exemption includes an exemption for personal information that is publicly available, as
specified by the regulations (clause 7(1)(d), 7(2)(c.1), and 7(3)(h.1) respectively).
1. Exemptions
with Respect to Collection (Clause 7(1))
An organization would be exempted from
obtaining consent with respect to the collection of personal information only
where:
(a) the collection was clearly in the
interests of the individual and consent could not be obtained in a timely way;
(b) it was reasonable to expect that the
collection with the knowledge or consent of the individual would compromise the
availability or the accuracy of the information and the collection was reasonable for
purposes related to investigating a breach of an agreement or a contravention of the laws
of Canada or a province;
(c) the
collection was solely for journalistic, artistic or literary purposes;(5) or
(d) the
information was publicly available and was specified by the regulations.
2. Exemptions with
Respect to Use (Clause 7(2))
An exemption with respect to use
would only be allowed where:
(a) the organization became aware of
information that it had reasonable grounds to believe could be useful in the investigation
of a contravention of the laws of Canada, a province or a foreign jurisdiction that had
been, was being or was about to be committed, and the information was to be used for the
purpose of investigating that contravention;
(b) the information was used for the purpose of acting in
an emergency that threatened the life, health or security of an individual;
(c) the information was used for
statistical, or scholarly study, or research, purposes (under certain conditions described
below);
(c.1) the information was publicly
available and was specified by the regulations; or
(d) the information was collected under clause (1)(a) or
(b).
3. Exemptions
with Respect to Disclosure (Clause 7(3))
An exemption with respect to disclosure
would only be allowed if disclosure was:
(a) made to legal counsel representing the organization;
(b) for the purpose of collecting a debt owed by the
individual to the organization;
(c) required to comply with a subpoena or
warrant issued or an order made by a court, person or body that had jurisdiction to compel
the production of information, or to comply with the rules of the court relating to the
production of records;
(c.1) to a government institution or part
of a government institution that had requested the information, identified its lawful
authority to obtain the information, and indicated that:
(i) it suspected that the information
related to national security, the defence of Canada or the conduct of international
affairs,
(ii) the disclosure was requested for the
purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out
an investigation relating to the enforcement of any such law, or gathering intelligence
for the purpose of enforcing any such law, or
(iii) the disclosure was necessary for the
purpose of administering any law of Canada or a province;
(d) made on the initiative of the
organization to an investigative body and the organization
(i) had reasonable grounds to believe that
the information related to a breach of an agreement or a contravention of the laws of
Canada, a province or a foreign jurisdiction that had been, was being or was about to be
committed, or
(ii) suspected that the information
related to national security, the defence of Canada or the conduct of international
affairs.
(e) made to a person who needed the
information because of an emergency that threatened the life, health or security of an
individual and, if the individual the information was about was alive, the organization
without delay informed that individual in writing of the disclosure;
(f) for statistical, or scholarly study or
research, purposes (under conditions which are described below);
(g) made to an institution whose functions
included the conservation of records of historic or archival importance and the disclosure
was made for the purpose of such conservation;
(h) made after either 100 years after the
creation of the record containing the information, or 20 years after the death of the
individual the information was about, whichever date was earlier;
(h.1) of information that was publicly
available and was specified by the regulations;
(h.2) made by an investigative body and
disclosure was reasonable for purposes related to investigating a breach of an agreement
or a contravention of the laws of Canada or a province; or
(i) required by law.
4.
Conditions Attached to the Exemptions for Statistical, or Scholarly
Study
or Research Purposes (Clause 7(2)(c) and 7(3)(f))
An exemption for the use of personal
information for "statistical, or scholarly study or research, purposes" would be
allowed only if all of the following conditions were met (clause 7(2)(c)):
(i) the purposes could not be
achieved without using the information;
(ii) the information was used in a manner that would
ensure its confidentiality;
(iii) it was impracticable to obtain consent; and
(iv) the organization informed the Commissioner of the use
before the information was used.
An exemption for disclosure for
statistical, or scholarly study or research, purposes would be allowed only if conditions
analogous to (i), (iii) and (iv) above were met (clause 7(3)(f)).
D.
Rules Governing Access to Personal Information (Clauses 8 to 10)
1.
Rules Regarding Time Limits, the Requirement to Retain Information,
and
Costs of Responding to a Complaint (Clauses 8 and 10)
a. Clause 8
Clause 8 would provide procedural rules
respecting an individual’s request for access to his or her personal information. An
organization would be required to respond within 30 days of receiving a request (clause
8(3)), but would be able to extend this time limit:
where applicable, for a period necessary
to convert the personal information into an alternative format (for example, Braille),
pursuant to clause 8(4)(b)).
Under clause 8(4), an organization that
extended its time limit would be required to send a notice of extension to the individual,
stating the reasons for the extension, and the individual’s right to complain to the
Commissioner about the extension. Similarly, an organization that responded within the
time limit, but refused a request, would be required to inform the individual in writing,
setting out its reasons and any recourse available under Part 1 (i.e., the right to file a
complaint with the Commissioner, pursuant to clause 11(1)).
If an organization failed to respond
within the time limit it would be deemed to have refused the access request (clause 8(5)).
An organization would be able to respond
at a cost to the individual only if the individual had been informed of the approximate
cost and had advised the organization that the request was not being withdrawn (clause
8(6)).
Finally, clause 8(8) would require that an
organization that possessed information that was the subject of a request would be
required to retain it for as long as necessary to allow the individual any recourse
available under Part 1.
b. Clause 10
Clause 10 states the conditions under
which an organization would be required to give access in an alternative format, where the
individual requesting access had a sensory disability.
2. When Access Could Be
Refused (Clause 9)
Clause 9 sets out the conditions under
which an organization would not be required to provide access to personal information.
Clause 9(1) would prohibit an organization from providing an individual with access to
information that would reveal personal information about a third party, unless the third
party information could be, and was, severed from the record. If the third party
consented, however, or if the individual needed the information because an
individual’s life, health or security was threatened, the third party prohibition
would not apply (clause 9(2)).
The Minister of Industry introduced
amendments to clause 9 which were passed at report stage: specifically, clause 9(2.1),
(2.2), (2.3) and (2.4). Clause 9(2.1) would allow an individual to be informed about, or
provided access to, information about
any disclosure of information to a
government institution, or part of a government institution, under clause 7(3)(c),
(c.1)(i) or (ii), or (d); or
the existence of any information that
the organization had relating to such a disclosure, to a subpoena, warrant or order
referred to in clauses 7(3)(c) or to a request by a government institution under clause
7(3)(c.1(i) or (ii) (clause 9(2.1)).
Clause 9(2.2) would require an
organization to which clause 9(2.1) applied to notify the institution concerned without
delay of the request made by the individual. Under clause 9(2.3), the institution would be
required to notify the organization whether or not it objected to the organization’s
compliance with the request. The institution could only object if it was of the opinion
that the request could reasonably be expected to be injurious to:
- national security, the defence of Canada or the conduct of
international affairs, or
the enforcement of any law of Canada, a
province or a foreign jurisdiction, an investigation relating to the enforcement of any
such law, or the gathering of intelligence for the purposes of enforcing any such law.
If an organization was notified that the
institution objected to the organization’s compliance with the request, the
organization would be required to refuse the request, to notify the Commissioner of the
refusal, and not to disclose to the individual
- any information that the organization had relating to the
disclosure,
- that the organization had notified an institution or the
Commissioner, or
- that the institution had objected to the disclosure (clause
9(2.4)).
Pursuant to clause 9(3), an organization
could refuse to give access to personal information in the following circumstances:
- the information was protected by solicitor-client
privilege;
- to do so would reveal confidential commercial information
(unless this information could be severed);
- to do so could reasonably be expected to threaten the life
or security of another individual (unless this information could be severed);
- the information was collected under clause 7(1)(b); i.e.,
collection was for purposes related to breach of an agreement or the detection of an
offence under federal or provincial law;(6) or
- the information was generated in the course of a formal
dispute resolution process.
None of the grounds for refusal under clause 9(3) would be
permitted, however, if the individual needed the information because an individual’s
life, health or security was threatened.
E.
Filing and Investigation of Complaints, Commissioner's Report
(Clauses
11, 12 and 13)
1. Filing of a Complaint (Clause
11)
Under clause 11, a complaint could be
brought forward in two ways: by an individual who would file a complaint with the
Commissioner, or by the Commissioner on his or her own initiative.
An individual would be able to file a
complaint against an organization either for contravening a provision of Division 1 or for
not following a recommendation set out in Schedule 1(7) (clause 11(1)). The Commissioner would be able to initiate
a complaint only if satisfied that there were reasonable grounds to investigate a matter
under Part 1 (clause 11(2)).
Clause 11(3) would require a complaint
resulting from a refusal to grant an access request to be filed within six months, or any
longer period that the Commissioner allowed. Pursuant to clause 11(4), the Commissioner
would be required to give notice of a complaint to the organization.
2. Investigation of a
Complaint (Clause 12)
The Commissioner would be required to
investigate a complaint, and for this purpose would be authorized to do as follows,
pursuant to clause 12(1):
at any reasonable time, enter any
premises, other than a dwelling-house, occupied by the organization;
Pursuant to clause 12(2), the Commissioner
would also be authorized to attempt to resolve complaints by means of dispute resolution
mechanisms such as mediation and conciliation. In addition, the Commissioner would be
authorized to delegate any of the powers set out in subclauses (1) or (2), (clause 12(3)).
3. Commissioner’s Report
(Clause 13)
Within one year of the filing or
initiating of a complaint, the Commissioner would be required to prepare a report, and
send it to both the complainant and the organization. According to clause 13(1), the
report would contain:
the Commissioner’s
findings and recommendations;
any settlement reached by
the parties;
if appropriate, a request
that the organization provide the Commissioner with notice of any action taken or proposed
to implement the recommendations, or provide reasons why such action was not taken; and
the recourse available under
clause 14 (court hearing application).
The Commissioner would not be required to
prepare a report if he or she were satisfied that:
such time had elapsed that a
report would not serve a useful purpose; or
the complaint was trivial,
frivolous or vexatious or had been made in bad faith.
If a report was not prepared, the
Commissioner would be required to inform the complainant and the organization, and provide
reasons (clause 13(2)).
F. Court Hearing and
Remedies (Clauses 14 to 17)
A complainant could, after receiving the
Commissioner’s report, apply to the Federal Court – Trial Division for a hearing
in respect of any matter reported by the Commissioner and that was referred to in any of
the clauses listed in clause 14(1).(8)
In respect of a complaint that the
Commissioner did not initiate, he or she would be authorized to:
The Court would be able, in addition to
any other remedies it could give:
Clause 17(2) would require the Court, in
any proceeding pursuant to clause 14 or 15, to take every reasonable precaution,
including, when appropriate, receiving representations ex parte and conducting
hearings in camera, to avoid the disclosure by the Court or any other person of any
information or other material that the organization would be authorized to refuse to
disclose if it were requested under clause 4.9 of Schedule 1.
G. Other Duties and
Powers of the Commissioner
(Clauses 18 to 20 and 23
to 26)
1.
Audits (Clauses 18 and 19)
Under clause 18(1), on reasonable notice
and at any reasonable time, the Commissioner would be able to audit the personal
information practices of an organization if he or she had reasonable grounds to believe
that it
- was contravening a provision of Division 1, or
- was not following a recommendation set out in Schedule 1.
The Commissioner’s powers for the
purpose of conducting an audit would be identical to those for conducting an
investigation. Specifically, the Commissioner would be able to compel and receive evidence
and administer oaths, enter an organization’s premises, carry out inquiries, and
examine and obtain copies of records containing matters relevant to the audit (clause
18(1)). The Commissioner would also be authorized to delegate any of these powers (clause
18(2)).
The Commissioner would be required to provide a report to
the audited organization with the findings of the audit and any recommendations
(clause 19(1)). Clause 19(2) is particularly notable, in that it would provide
the Commissioner with discretion to include an audit report in his or her annual report to
Parliament.
2.
The Commissioner Could Make Public the Personal Information Management
Practices
of an Organization (Clause 20(2))
Clause 20(1) would protect confidentiality
in respect of an audit or investigation, by prohibiting the Commissioner or any person
acting on the Commissioner’s behalf from disclosing information arising out of the
performance of any of the Commissioner’s powers or duties. However, subclauses (2) to
(5) would allow for a number of exceptions; the most notable of these (subclause (2))
would allow the Commissioner, where he or she considered it to be in the public interest,
to make public any information relating to the personal information management practices
of an organization.
3. Consultation
with Provincial Authorities (Clause 23)
Clause 23 would provide authority to the
Commissioner to consult with provincial authorities. Specifically, the Commissioner would
be authorized to consult and enter into agreements with any person who, under provincial
legislation substantially similar to Part 1, had similar powers and duties. The
Commissioner would also be authorized to co-ordinate activities, undertake and publish
research, and develop model contracts for the protection of personal information that was
collected, used or disclosed interprovincially or internationally.
4.
Commissioner’s Public Education Mandate (Clause 24)
Clause 24 would give the Commissioner a
public education mandate whereby he or she would be required to develop and conduct
information programs to foster public understanding of the purposes of Part 1, undertake
and publish research related to the protection of personal information, encourage
organizations to develop policies and practices including codes of practice to comply with
the provisions of Division 1, and promote the purposes of Part 1.
5.
Annual Report (Clause 25)
Clause 25 would require the Commissioner
to submit an annual report to Parliament concerning the application of Part 1, the extent
to which the provinces had enacted substantially similar legislation, and the application
of such legislation.
H.
Exclusion of Application of Part 1 within a Province (Clauses 30 and 26(2)(b))
Clause 30(1) would provide that Part 1
would not apply to "any organization in respect of personal information that it
collects, uses or discloses within a province whose legislature has the power to regulate
the collection, use or disclosure of the information, unless the organization does it in
connection with the operation of a federal work, undertaking or business or the
organization discloses the information outside the province for consideration."
Clause 30(2) would provide that the exclusion of the application of Part 1 within a
province would cease to have effect three years after clause 30 came into force.
Otherwise stated, under clause 30, Part 1
would initially apply to the federally regulated private sector (for example, the
telecommunications, broadcasting, banking, and airline industries) and to federal Crown
corporations operating in these areas. Part 1 would also immediately apply to
interprovincial and international flows of personal information for commercial purposes.
Three years after coming into force, Part 1 would apply more broadly, to cover private
sector commercial activities within the provinces.
Under clause 27(2)(b), however, the
Governor in Council would have the power to exempt an organization, class of
organizations, activity or class of activities from the application of Part 1, if the
Governor in Council were satisfied that a province had adopted legislation that was
substantially similar to Part 1 which applied to the organization, class of organizations,
activity or class of activities in question. This exemption would be limited, however, to
the collection, use or disclosure of personal information within the province.
I.
Other Part 1 Provisions
1.
Regulation-making Power of the Governor in Council (Clause 26(1))
Under clause 26(1), the Governor in
Council would be empowered to make regulations:
specifying, by name or by class, what
would be considered a government institution or part of a government institution, and what
would be considered an investigative body;
2.
"Whistleblower" Protection (Clauses 27 and 27.1)
A person who had reasonable grounds to
believe that another person had contravened or intended to contravene, a provision of
Division 1 would be protected, provided he or she notified the Commissioner and requested
that his or her identity be kept confidential (clause 27). Where the Commissioner provided
an assurance of confidentiality, the whistleblower’s identity would not have to be
disclosed.
Clause 27.1 would provide protection
specifically for employees who, acting in good faith and on the basis of reasonable
belief:
had done or stated an intention of doing
anything that was required to be done in order to prevent contravention of a provision of
Division 1, or, where the employer believed that the employee would do any of the above
actions.
The protection provided would be against
dismissal, suspension, demotion, discipline, harassment, disadvantage or other denial of a
benefit of employment by the employer.
Under clause 27.1, the definition of
"employee" would include an independent contractor. Clause 28 would provide
for a fine for any person who knowingly took action against a whistleblowing employee.
3. Fines (Clause
28)
Clause 28 would provide for a fine as the
penalty for three types of contravention under Part 1, specifically in respect of every
person who knowingly:
- contravened the requirement to retain information under
clause 8(8);
- took action against a whistleblowing employee, contrary to
clause 27.1; or
- obstructed the Commissioner or the Commissioner’s
delegate in the investigation of a complaint or in conducting an audit.
The amount of the fine would be limited to
$10,000 for a summary conviction offence, and $100,000 for an indictable offence.
4. Parliamentary Review (Clause 29)
Clause 29 would provide for a review of
Part 1 by Parliament every five years.
J. One-Year Exemption for "Personal Health Information"
(Clause 30)
In its Report to the Senate on
6 December 1999, the Standing Senate Committee on Social Affairs, Science and
Technology recommended that clause 30 of the bill be amended. A new clause, clause
30(1.1), would provide that Part 1 would not apply to any organization in respect of
personal health information that it collected, used or disclosed. Under a second new
clause, clause 30(2.1), clause 30(1.1) would cease to have effect one year after the day
clause 30 came into force.
These amendments were passed by the Senate
and subsequently accepted by the House of Commons. Bill C-6 received Royal Assent on
13 April 2000. Pursuant to an order-in-council dated 26 April 2000, Part 1
of the bill (which includes clause 30) will come into force on 1 January 2001. This
means that, under clause 30(2.1), the "exemption" for personal health
information will expire on 1 January 2002.
Schedule 1
The full title of Schedule 1 is
"Principles Set Out in the National Standard of Canada entitled Model Code for the
Protection of Personal Information, CAN/CSA-Q830-96." This code is commonly referred
to as the CSA Code. Schedule 1 contains ten overarching principles (Accountability;
Identifying Purposes; Consent; Limiting Collection; Limiting Use, Disclosure and
Retention; Accuracy; Safeguards; Openness; Individual Access; and Challenging Compliance),
each of which is supported by a number of more specific clauses. Schedule 1 was not
amended at report stage.
Some of the provisions in Schedule 1
contain language not typically found in legislation. While most of the clauses in the
Schedule contain the word "shall," thereby imposing an obligation, other clauses
are merely explanatory, while still others contain the word "should," reflecting
the fact that the CSA Code was originally drafted to provide voluntary, rather than
legally mandated, standards. The provisions containing "should" or wording such
as " organizations are encouraged to" were intended to provide "best
practices" guidance.
It is noted, however, that clause 11(1) of
Part 1 would allow an individual to file a complaint against an organization for
contravening a recommendation set out in Schedule 1. Similarly, clause 18(1) of Part 1
would authorize the Commissioner to audit an organization upon reasonable belief that the
organization was not following a recommendation in Schedule 1.
It is also noted that a number of the
clauses in Part 1 would override, modify, or provide exceptions to some of the clauses in
Schedule 1. The most notable examples of legislative override in Part 1 concern Principles
3 (Consent) and 9 (Individual Access), both of which are followed by explanatory notes.
However, clause 7(1), (2), (3) and clause 9(1) and (3) of Part 1 would provide exemptions
to replace those set out in the explanatory notes.
The statements that head each of the ten
principles in Schedule 1 are provided below; the clauses and explanatory notes are not
included.
1. Accountability
Principle 1 states that an organization
would be responsible for personal information under its control and would have to
designate an individual or individuals who were accountable for the organization’s
compliance with the following principles.
It is noted that clause 6 of Part 1 would
elaborate on Principle 1 to say that, by designating an individual under Principle 1, an
organization would not be relieved of complying with the obligations set out in Schedule
1.
2.
Identifying Principles
The purposes for which personal
information was collected would have to be identified by the organization at or before the
time the information was collected.
3. Consent
The knowledge and consent of the
individual would be required for the collection, use or disclosure of personal
information, except where this was inappropriate.
4. Limiting
Collection
The collection of personal information
would have to be limited to that necessary for the purposes identified by the
organization. Information would be required to be collected by fair and lawful means.
5. Limiting Use, Disclosure
and Retention
Principle 5 states that personal
information could not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by the law. The
Principle also states that personal information could be retained only as long as was
necessary for fulfilment of those purposes.
It is noted that the statement above
referring to use or disclosure would be subject to override by clause 7(4) and (5) of Part
1, whereby an organization could use or disclose personal information for purposes other
than those for which it was collected, and which are set out in clause 7(2) and (3).
6. Accuracy
Personal information would have to be as
accurate, complete and up-to-date as was necessary for the purposes for which it was to be
used.
7. Safeguards
Personal information would have to be
protected by security safeguards appropriate to the sensitivity of the information.
8. Openness
An organization would be required to make
specific information about its policies and practices relating to the management of
personal information readily available to individuals.
9. Individual
Access
Upon request, an individual would have to
be informed of the existence, use and disclosure of his or her personal information and be
given access to that information. The individual would have the right to challenge its
accuracy and completeness and have it amended as appropriate.
10.
Challenging Compliance
An individual would be able to address a
challenge concerning compliance with the above principles to the designated individual or
individuals accountable for the organization’s compliance.
Parts 2 to 5
According to clause 32, the stated purpose
of Part 2 of Bill C-6 is to provide for the use of electronic alternatives where federal
laws contemplate the use of paper to record or communicate information or transactions.
This Part would permit federal departments, agencies or other bodies to communicate and
deliver services electronically. Enabling and interpretive provisions under Part 2 would
introduce a degree of equivalency between paper and electronic formats.
A key component of Part 2 is the concept
of "secure electronic signature," whereby federal government departments would
ensure the integrity and reliability of electronic transmissions. Under the proposed
legislation, individual government departments would be able to opt into the legislative
scheme when they had developed the appropriate technological and operational capacity to
do so. Clause 48(1) of Part 2 would authorize the Governor in Council, on recommendation
of the Treasury Board, to make regulations prescribing technologies or processes for
defining "secure electronic signature." Other provisions in Part 2 would
assist the courts to recognize secure electronic signatures and how they would be used in
relation to electronic documents.
A related element of the proposed
legislation concerns electronic documents used as evidence in legal proceedings. Usually,
evidence in the form of an original document is required to satisfy a court that the terms
and conditions of an agreement have not been altered since it was signed. This requirement
is known as the "best evidence" rule. In the case of electronic documents,
however, this rule is difficult to satisfy because the original cannot be distinguished
from an amended document and because the document is not authenticated by hand-written
signatures. The federal government would, therefore, require the use of secure electronic
signatures for electronic documents whenever the law required original documents or
statements of truth.
Part 3 of the bill would provide
amendments to the Canada Evidence Act to give notices and Acts published
electronically by the Queen’s Printer the same legal authority as notices and Acts
published on paper. Part 3 also contains provisions to clarify how the courts would assess
the integrity of an electronic document introduced as evidence.
Part 4 would amend the Statutory
Instruments Act to allow an electronic version of the Canada Gazette to have
official status. Part 5 would authorize the publication of revisions of the statutes and
regulations of Canada, as well as the consolidated version of the statutes and
regulations, in either print or electronic form. The amendments in Parts 4 and 5 would be
brought into force when the appropriate technology was in place for ensuring the integrity
of the electronic versions.
Pursuant to an order-in-council dated
26 April 2000, Parts 2, 3 and 4 shall come into force on 1 May 2000.
COMMENTARY:
COMMITTEE STUDY OF BILL C-54 (PREDECESSOR BILL)
Bill C-6 was preceded by Bill C-54, of the
same title. Bill C-54 was introduced in Parliament on 1 October 1998 and was referred to
the House of Commons Standing Committee on Industry after second reading. A number of
amendments were made to Bill C-54 at committee stage. Bill C-54 did not progress beyond
report stage in the 1st session of the 36th Parliament prior to
prorogation on 18 September 1999. Prior to the report stage amendments in the 2nd
session, Bill C-6 was identical in content to Bill C-54 as amended by the Standing
Committee on Industry. The purpose of this commentary is to note some of the key
amendments to Bill C-54 adopted by that committee.
The Industry Committee held hearings on
Bill C-54 beginning on 1 December 1998 and ending on 18 March 1999. Sixty groups or
individuals appeared before the Committee, including the Minister of Industry, the
Minister of Justice, the federal Privacy Commissioner, and two provincial privacy
commissioners. Witnesses included representatives from public interest groups, historical
research and archival associations, the Canadian Standards Association, the Canadian Bar
Association, privacy and constitutional experts, journalists’ and writers’
groups, and health sector groups. Witnesses from the business sector included
representatives from the banking, insurance, credit reporting, direct marketing,
telecommunications, broadcasting, and information technology industries, and employer and
employee associations.
During the Committee’s
clause-by-clause review of Bill C-54, 39 amendments were carried. The Committee presented
the report of its amendments to the House of Commons on 12 April 1999. No significant
amendments were made to provisions in Parts 2 to 5 of Bill C-54, and no amendments were
made to Schedule 1. However, a number of significant substantive amendments were made in
committee to provisions in Part 1; the most notable of these are set out below.
A. Definitions
Prior to the Committee’s review,
Bill C-54 did not contain a definition of "commercial activity." A proposed
amendment (clause 2(1)) to provide a definition was carried, though some Committee members
expressed the view that the proposed definition was too vague to provide any useful
guidance in determining which activities would or would not be considered
"commercial." (The definition of "commercial activity" in Bill C-6 was
subsequently amended at report stage.)
personal information means information
about an identifiable individual but does not include the name, title or business address
or telephone number of an employee of an organization. (clause 2(1))
The deletion of the words "that is recorded in any
form" could be interpreted as having the effect of broadening the scope of
"personal information" to include information that was not in any recorded form,
such as DNA or blood samples.
B. Exemptions
- Prior to committee review of Bill C-54, clause 7(1)(b)
provided an exemption from the requirement to obtain an individual’s consent for the
collection of personal information if:
it is reasonable to expect that the
collection from the individual would compromise the accuracy of the information or defeat
the purpose or prejudice the use for which the information is collected.
After some witnesses had submitted that
this broad exemption left a "gaping hole" in the legislation, clause 7(1)(b) was
amended by the Committee and its scope narrowed. Under the amended provision, an exemption
with respect to collection would be available if:
it is reasonable to expect that the
collection with the knowledge or consent of the individual would compromise the
availability or the accuracy of the information and the collection is reasonable for
purposes related to investigating a breach of an agreement or a contravention of the laws
of Canada or a province.
As amended, clause 7(1)(b) would provide
an exemption where it was necessary to collect personal information without informing the
individual concerned, most notably in the circumstance of fraudulent activity. Witnesses
representing insurance groups expressed concern about the effect that the amendment to
this clause and other related clauses could have on their ability to combat insurance
fraud.
An exemption from the requirement for
consent in respect of the collection, use, or disclosure of personal information that was
"publicly available and is specified by the regulations" was adopted (clause
7(1)(d), 7(2)(c.1), 7(3)(h.1))
With regard to the exemptions for use
and for disclosure for statistical, or scholarly study or research, purposes, an amendment
provided a new condition whereby the exemption would be available only if the purposes
could not be achieved without using (disclosing) the information, pursuant to clause
7(2)(c) (clause 7(3)(f)). (Subsequently, clauses 7(2)(a) and 7(3)(d) in
Bill C-6 were amended, and clauses 7(3)(c.1) and 7(3)(h.2) in Bill C-6 were
added, at report stage.)
C. Deletions
Prior to its deletion by the Industry
Committee, a provision was included in Bill C-54 that would have enabled the Minister of
Industry, with Governor in Council approval, to delegate any of the Privacy
Commissioner’s powers or duties under Part 1 to any provincial authorities acting
under provincial legislation substantially similar to Part 1.
Prior to its deletion by the Industry
Committee, a provision was included in Bill C-54 that would have enabled the Governor in
Council to amend Schedule 1 to reflect changes to the CSA Code. Given that Schedule 1 is
part of the bill, as a result of this deletion changes to the Schedule would need to be
made by Parliament.
D. Other
A primacy clause (clause
4(3)) was adopted in Bill C-54 to provide that "Every provision of this Part applies
despite any other Act of Parliament, unless that Act expressly declares that it operates
despite that provision." (Clause 4(3) in Bill C-6 was subsequently amended at report
stage.)
Schedule 1 would require the
collection of personal information to be limited to that necessary for the purposes
identified by the organization (clause 4.4). However, the Schedule does not limit the
purposes for collecting, using or disclosing information.(9) A purposes limitation clause (clause 5(3)) was added to
specify that an organization would be able to collect, use or disclose personal
information "only for the purposes that a reasonable person would consider are
appropriate in the circumstances."
The Commissioner’s
"search and seizure" powers (clauses 12(1) and 18(1)) relate to the
investigation of a complaint or the audit of the personal information management practices
of an organization. These powers were not amended; however, they were the subject of
considerable discussion at committee stage and are noted here for this reason.
(1) The
full title of Bill C-6 is "An Act to support and promote electronic commerce by
protecting personal information that is collected, used or disclosed in certain
circumstances, by providing for the use of electronic means to communicate or record
information or transactions and by amending the Canada Evidence Act, the Statutory
Instruments Act and the Statute Revision Act."
* The bill was originally
introduced in the first session of the 36th Parliament as Bill C-54. Bill C-54,
introduced in the House of Commons on 1 October 1998, was referred to the Standing
Committee on Industry after second reading. The Committee held hearings commencing 1
December 1998 and ending 18 March 1999. On 12 April, the bill was reported back to
the House of Commons, with 39 amendments. By motion adopted 14 October 1999, the House of
Commons provided for the reintroduction, in the second session, of legislation that had
not received Royal Assent.
(2) Parts 3, 4, and 5 would respectively
provide amendments to the Canada Evidence Act, the Statutory Instruments Act,
and the Statute Revision Act. Part 6 contains a coming into force provision.
(3) As described further below, Part 1 would
apply immediately to interprovincial or international commercial activities, but would not
apply to commercial activities exclusively within a province for the first three years
after the bill came into force (clause 30). If a province enacted legislation
"substantially similar" to Part 1, the Governor in Council would be empowered to
exempt organizations or activities within that province (clause 26(2)(b)).
(4) The expression "federal work, undertaking or
business" is defined in clause 2 and is identical to the definition provided in
section 2 of the Canada Labour Code.
(5) As noted earlier, paragraph 4(2)(c) would
provide an exemption from the application of Part 1 for "journalistic, artistic or
literary purposes." The exemption for the collection of personal information in
clause 7(1)(c) would ensure that an organization that collected information for, for
example, journalistic purposes, and subsequently used this information with consent for a
non-journalistic purpose would not be in breach of the bill in respect of the original
collection.
(6) If the organization were to refuse access on this basis
it would be required to notify the Commissioner (clause 9(5)).
(7) Therefore, an individual would be able to file a
complaint concerning the contravention of a "should" provision in Schedule 1,
notwithstanding that clause 5(2) provides that the word "should" in Schedule 1
would not impose an obligation.
(8) Clause
14(1) lists the clauses pursuant to which a court application could be made. The list
includes the following clauses: clauses 4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7, and 4.8 of
Schedule 1, clauses 4.3, 4.5 and 4.9 of Schedule 1 as modified by Division 1, and
subclauses 5(3), 8(6) and (7) and clause 10 of Division 1. Any of the following issues
would therefore provide grounds for a court application:
whether an organization failed to
provide a comparable level of protection while the personal information was being
processed by a third party;
whether an organization properly
identified before collection the purposes for which the personal information was
collected;
whether the organization refused to
provide a person with a service because the person would not give the organization
unnecessary personal information;
whether an organization collected
personal information beyond what was necessary;
whether the personal information was as
accurate, complete, and up-to-date as necessary;
whether the personal information was
protected by appropriate safeguards;
whether an organization made available
specific information about its policies and practices;
whether consent was obtained for the
collection, use, or disclosure of personal information;
whether the use, disclosure, or
retention of the personal information was unauthorized;
whether a person was advised of the
existence, use, and disclosure of his or her personal information and given access to it;
the amount the organization charged the
requester for providing his or her personal information;
the refusal to grant access;
whether the personal information was
collected, used or disclosed for purposes that a reasonable person would consider
appropriate in the circumstances;
whether information was retained for as
long as necessary for the complaint to be resolved; or
failure to provide personal information
in an alternate format for a requester with a disability.
(9) Clause 4.3.3 provides a minor exception. This clause
would prohibit an organization from requiring an individual’s consent for the
collection, use or disclosure of information as a condition of the supply of a product or
service, beyond that necessary to fulfil explicitly specified, and legitimate purposes.
|