|
|
Q. |
What is covered by the Privacy Act
and the Personal Information Protection and Electronic Documents
Act? |
A. |
Canadians are protected by two federal privacy laws, the Privacy
Act and the Personal Information Protection and Electronic
Documents Act.
The Privacy Act took effect on July 1, 1983. This Act
imposes obligations on some 150 federal government departments and
agencies to respect the privacy rights of Canadians by placing limits
on the collection, use and disclosure of personal information. The
Privacy Act gives Canadians the right to access and correct
personal information about them held by these federal government
organizations.
As of January 1, 2001, individuals are also protected by the Personal
Information Protection and Electronic Documents Act which sets
out ground rules for how private sector organizations may collect,
use or disclose personal information in the course of commercial
activities.
The law gives individuals the right to see and ask for corrections
to information an organization may have collected about them. Since
the beginning of this year, the Act applies to personal information
about customers or employees that is collected used or disclosed
by the federally regulated sector in the course of commercial activities.
In addition, the Act covers all businesses and organizations engaged
in commercial activity in Yukon, the Northwest Territories and Nunavut
as well as information sold across provincial and territorial boundaries.
As of January 1, 2002, the personal health information collected,
used or disclosed by these organizations is also covered.
As of January 1, 2004, the Act will cover the collection, use or
disclosure of personal information in the course of any commercial
activity within provinces, including provincially regulated organizations.
The Act will also apply to all personal information in all inter-provincial
and international transactions by all organizations subject to the
Act. The federal government may exempt organizations or activities
in provinces that have their own privacy laws if they are deemed
to be substantially similar to the federal law. To assist in making
that determination, the Privacy Commissioner is mandated, under
the Act, to report to Parliament on the extent to which provinces
have passed legislation that is in fact substantially similar.
Oversight of both Acts rests with the Privacy Commissioner of Canada
who is also authorized to receive and investigate complaints. |
Back
|
Q. |
What is the role of the Privacy Commissioner
of Canada? |
A. |
According to the Privacy Act and the Personal Information Protection
and Electronic Documents Act, the Privacy Commissioner of Canada is
responsible for ensuring that the federal government and companies
in the private sector collect, use or disclose personal information
in a manner that is responsible and transparent. These Acts governing
personal information provide the Privacy Commissioner of Canada with
the authority to ensure organizations and federal departments are
held accountable for their information handling practices. Within
the federal public sector, the Privacy Commissioner of Canada can
initiate audits of information practices randomly. In conducting
an audit, the Commissioner has the power to summon any person before
her. She also has the authority to administer oaths, receive evidence
and, enter the premises of an organization, after fulfilling security
requirements. The Commissioner can also examine or obtain copies
of any records found.
The Commissioner is impartial and nonpartisan, which means she can
act independently to investigate complaints from individuals. This
mandate extends to both the federal public sector and the private
sector. As such, the Privacy Commissioner of Canada can make recommendations
to improve how personal information is handled. She can also publicize
recommendations and reports. In some cases, the Commissioner can
refer cases to the Federal Court. At this level, the Court can award
damages to a complainant, including damages for humiliation.
As ombudsman, the Commissioner doesn't issue orders or impose penalties,
but rather arrives at her decisions through a process of inquiry
and persuasion, a process which underlines her impartiality and
dedication to problem resolution.
However, it is a criminal offence to obstruct the Commissioner
during an investigation or audit or to knowingly dispose of personal
information that could be subject to a request. The legislation
also makes it a criminal offence for employers to take retaliatory
actions against employees.
The Privacy Commissioner of Canada's mandate also includes research,
education and promotion of privacy issues in Canada. As an Agent
of Parliament, the Privacy Commissioner of Canada reports directly
to the House of Commons and to the Senate.
|
Back
|
Q. |
Under the Privacy Act, what is
the federal government's responsibility in handling Canadians' personal
information? |
A. |
The Act establishes a fair information code to regulate government
handling of personal records, which requires the federal government
to:
- limit its collection of personal information to the minimum
details needed to operate programs or activities;
- collect the information, whenever possible, directly from the
person concerned;
- tell the person why the information is being collected and how
it will be used;
- not use the information for purposes other than those specified,
unless allowed by law;
- keep the information for long enough to allow the person a reasonable
opportunity to obtain access;
- ensure the information is as accurate, up-to-date and complete
as possible; and,
- not disclose personal information unless specifically allowed
by the Privacy Act or another law.
|
Back
|
Q. |
What is "personal information?" |
A. |
Personal information is any factual or subjective information,
recorded or not, about an identifiable individual. It includes:
- age, name, weight, height;
- medical records;
- ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary
action; and,
- employee files, credit records, loan records, existence of a
dispute between a consumer and a merchant, intentions (for example,
to acquire goods or services, or change jobs.)
Personal information does not include your job title, telephone
number or address, anything that might appear on your business card,
or can be found through publicly available information such as the
telephone book. |
|
Q. |
What kind of personal information held
by the federal government does the Privacy Act cover? |
A. |
It applies to the whole range of federal government records,
for example:
- pension and unemployment insurance files;
- medical records;
- tax records;
- security clearances;
- student loan applications; and,
- military records.
The information may be recorded "in any form" and so
includes video and audio tape, and any electronic information medium.
To find out how to gain access to the personal information the
federal government holds visit InfoSource at http://infosource.gc.ca
or call 1 800 635-7943. |
Back
|
Q. |
How does the Personal Information
Protection and Electronic Documents Act require businesses to
deal with personal information? |
A. |
The law requires organizations to:
- obtain your consent when they collect, use or disclose your
personal information;*
- supply you with a product or a service even if you refuse consent
for the collection, use or disclosure of your personal information
unless the information is essential to the transaction;*
- collect information by fair and lawful means; and,
- provide personal information policies that are clear, understandable
and readily available.
Organizations should destroy, erase or make anonymous personal
information about you that it no longer needs in order to fulfil
the purpose for which it was collected.
*There are exceptions to these principles. For example: an organization
may not need to obtain your consent if collecting the information
clearly benefits you and your consent cannot be obtained in a timely
way; or if the information is needed by a law enforcement agency
for an investigation, and getting consent might compromise the information's
accuracy. |
Back
|
Q. |
How does the Personal Information
Protection and Electronic Documents Act protect my personal information?
|
A. |
Your ability to control your personal information is key to your
right to privacy. The Act gives you control over your personal information
by requiring organizations to obtain your consent to collect, use
or disclose information about you.
The law gives you the right to:
- know why an organization collects, uses or discloses your personal
information;
- expect an organization to collect, use or disclose your personal
information reasonably and appropriately, and not use the information
for any purpose other than that to which you have consented;
- know who in the organization is responsible for protecting your
personal information;
- expect an organization to protect your personal information
by taking appropriate security measures;
- expect the personal information an organization holds about
you to be accurate, complete and up-to-date;
- obtain access to your personal information and ask for corrections;
and,
- complain about how an organization handles your personal information,
confidentially if requested.
|
|
Q. |
What is not covered
by the Personal Information Protection and Electronic Documents
Act? |
A. |
- The Collection, use or disclosure of personal information by
federal government organizations listed in the Privacy Act;
- Provincial or territorial governments and their agents;
- An employee's name, title, business address or telephone number;
- An individual's collection, use or disclosure of personal information
strictly for personal purposes (e.g. personal greeting card list);
and,
- The collection, use or disclosure of personal information solely
for journalistic, artistic or literary purposes.
|
Back
|
|