Jump to Left NavigationJump to Content Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Government of Canada
FrançaisContact UsHelpSearchCanada Site
HomeWhat's NewAbout UsFAQsSite Map
Our Mandate
Commissioner's Findings
Settled and Early Resolution Cases
Incident Summaries
Key Issues
Media Centre
Resource Centre
Privacy Legislation
PIPEDA
  Privacy Act
Privacy Impact Assessments
Fact Sheets
Privacy Quiz
Proactive Disclosure
Privacy Legislation

Canada Gazette, Part II

Volume 135, Number 1

Ottawa, Wednesday, January 3, 2001

Important Notice:

The electronic version of Parts I and II of the Canada Gazette are produced in ASCII (American Standard for Computer Information Interchange) format in separate English and French files. This is a pilot project to allow easier access to the publications. The ASCII format was chosen to be the most appropriate alternate format because this common text language can be read by virtually any software package available. Tables and objects such as graphics, equations, charts, chemical symbols, forms and illustrations are extracted from the body of the text because they do not convert to the ASCII format. Therefore, please communicate with the contact person found within the notice for further information on the extracted objects.

Table of Contents

SOR/2001-6 - December 13, 2000

[1776]

Regulations Specifying Investigative Bodies

Statutory Authority

Personal Information Protection and Electronic Documents Act

Sponsoring Department

Department of Industry

SOR/2001-7 - December 13, 2000

[1777]

Regulations Specifying Publicly Available Information

Statutory Authority

Personal Information Protection and Electronic Documents Act

Sponsoring Department

Department of Industry

SOR/2001-8 - December 13, 2000

[1778]

Order Binding Certain Agents of Her Majesty for the Purposes of Part 1 of the Personal Information Protection and Electronic Documents Act

Statutory Authority

Personal Information Protection and Electronic Documents Act

Sponsoring Department

Department of Industry

Registration

Top of page SOR/2001-6 13 December, 2000

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Regulations Specifying Investigative Bodies

P.C. 2000-1776 13 December, 2000

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(1)(a.01) of the Personal Information Protection and Electronic Documents Act (<Reference a> S.C. 2000, c. 5) hereby makes the annexed Regulations Specifying Investigative Bodies.

REGULATIONS SPECIFYING INVESTIGATIVE BODIES

INVESTIGATIVE BODIES

1. The following investigative bodies are specified, by name or by class, for the purposes of paragraphs 7(3)(d) and (h.2) of the Personal Information Protection and Electronic Documents Act:

(a) the Insurance Crime Prevention Bureau, a division of the Insurance Council of Canada; and

(b) the Bank Crime Prevention and Investigation Office of the Canadian Bankers Association.

COMING INTO FORCE

2. These Regulations come into force on January 1, 2001.

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Description

Part 1 of the Personal Information Protection and Electronic Documents Act establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. The legislation requires an organization, which is disclosing personal information, to obtain the individual's consent in most circumstances. An exception to this rule is found in paragraphs 7(3)(d) and (h.2) of Part 1 of the Act which permit the disclosure of personal information to and by a private investigative body, without the knowledge or consent of the individual, if the investigative body is specified by the Regulations. The purpose of this Regulation is to name the investigative bodies for the purposes of paragraph 7(3)(d) or (h.2) of Part 1 of the Act.

Increasingly, many fraud investigations are initially launched by private sector organizations (e.g., a bank or insurance company) by way of an independent, non-governmental investigative body. Should the investigative body's preliminary investigation reveal grounds for suspecting that a fraud has been committed or a law contravened, the organization will then turn the findings over to a police or other enforcement agency for further action. Paragraph 7(3)(d) allows an organization to disclose personal information, without the consent of the individual, to the appropriate private sector investigative body in order to conduct the preliminary investigation. The disclosure is circumscribed as it must be a reasonable disclosure related to investigations of breaches of agreements or contraventions of the law. Paragraph 7(3)(h.2) allows an investigative body to disclose personal information back to the client organization on whose behalf it is conducting the investigation.

Paragraph 7(3)(h.2) completes the exception provided in paragraph 7(1)(b) for collection without consent for the purposes of the prevention of fraud by extending it to disclosure. Collection alone would be of limited use to those combatting fraud, unless the information could be disclosed to the parties that need the information. However, without paragraph 7(3)(h.2), the flow of information could only go in one direction - from the organization to the investigative body. The investigative body would be unable to disclose the results of its investigation back to the client organization without consent.

The ability to exchange personal information between private organizations without consent for investigative purposes is the only exception granted to these organizations by the Regulation. Organizations and investigative bodies which exchange personal information will remain responsible for compliance with all other requirements of the Act for this information, and will be subject to oversight by the Privacy Commissioner of Canada and the ability of individuals to seek redress in the Federal Court of Canada.

During the preparation of these Regulations, Industry Canada developed a set of criteria that would be used in the assessment of candidates for investigative bodies. These criteria were intended to cover privacy concerns associated with allowing organizations to disclose personal information without consent for investigative purposes. All of the criteria would not necessarily be applicable to each investigative body. The criteria were based on the following considerations:

* The specific contraventions of law or breaches of agreements against which the investigative activities are directed.

* The specific personal data elements which are disclosed by other organizations to the body; the specific personal data elements which flow back to the organizations from the body; the uses and disclosures made of the information by the body; whether audit trails are maintained; the length of time the information is kept; the security standards and practices in place for retention and disposal of the information.

* Whether the operational structure of the body or process is fully documented and formalized and the authority, responsibility and accountability centres are identified.

* Whether there are specific legal regime, licensing requirement, regulation or oversight mechanisms to which it is subject and whether sanctions or penalties for non-compliance exist.

* The privacy protection policies and procedures, such as a privacy code, followed by the body. The extent to which the policies and procedures comply with Part 1 of the Act.

* The extent to which the investigative body is independent from the association of members or client organizations that it serves.

* The extent to which all alternative methods of complying with the Act, such as contract or consent, have been exhausted.

* The amount of information provided to individuals about the existence and operation of the body and about how to make a complaint or seek redress.

Part 1 of the Act will be implemented in two stages. On January 1, 2001, it will apply to the personal information of the customers and employees of the federally regulated private sector, including telephone and transportation companies, broadcasters, and banks. It will also apply to organizations that sell personal information across provincial borders, e.g., companies selling or renting mailing lists. On January 1, 2004, the Act will apply to all personal information collected, used or disclosed in the course of commercial activity. Due to the phased introduction of the legislation and the fact that it is new to the private sector, it is expected that additions to the list of investigative bodies in the Regulation may be necessary. For this reason, the Department will continue to consider applications on a case by case basis in the future.

Of the organizations which submitted information to Industry Canada describing their internal structure and investigative process, those listed satisfied the criteria on the basis of the documentation submitted. Copies of their submissions may be obtained by contacting Industry Canada or by visiting the Electronic Commerce Web site:

http://e-com.ic.gc.ca/english/privacy/632d1.html.

Alternatives

The legislative framework in Part 1 of the Act requires that an investigative body, for the purposes of paragraph 7(3)(d) or (h.2) of the Act, be specified by the Regulations. There are no alternatives to deal with the collection, use and disclosure of this information without consent.

Benefits and Costs

Benefits

Insurance fraud is estimated to cost the property and casualty insurance industry $1.3 billion dollars annually. Credit and debit card fraud, robbery, and counterfeit payments are estimated to cost the banking industry $250 million annually (additional losses related to cyber crime and other fraud would add to this figure). If the legislation did not allow information sharing between organizations and their private investigative bodies, the detection and prevention of fraud would be more difficult. This would add to the cost of insurance borne by law abiding policyholders and bank customers through increased premiums, service charges and fees.

Costs

The Regulation should not impose significant additional costs on the organizations to which it applies as it merely permits the continuation of existing information sharing relationships between organizations and their investigative bodies.

The Regulation will have no impact on Department resources.

Consultation

Bill C-54 (the precursor to Bill C-6) was introduced on October 1, 1998 and received extensive hearings before the Standing Committee on Industry and the Standing Senate Committee on Social Affairs, Science and Technology. Representatives of the insurance and banking industries, among others, appeared before the Standing Committee on Industry and raised the issue of the viability of private sector investigative activities under the proposed legislation. As a result, the bill was amended to provide for disclosure without consent to and by investigative bodies that were specified by the Regulations.

Subsequent to the Bill's receiving Royal Assent on April 13, 2000, Industry Canada had discussions with interested parties, including representatives of the insurance, credit reporting, telephone, banking, information technology, direct marketing, real estate, cable television, retail sale, as well as private investigators, internet service providers, the Canadian Chamber of Commerce and other business associations. Consumer and privacy organizations, the provincial and territorial privacy commissioners, and the members of the Federal-Provincial-Territorial discussion group on privacy legislation were included in these discussions. Consultations were also undertaken with the federal Privacy Commissioner.

Following the publication of the Regulation in the Canada Gazette, Part I, the following comments were received.

One commentator opposed listing the ICPB in the Regulation because it currently solicits information based on suspicion and does not permit the verification of incorrect information by allowing an individual to have access to their file. To the extent that these objections are true, they will be addressed through a combination of the Act and the regulation. Under the Act, the ICPB will be required to ensure accuracy, provide individual access, limit retention of information, etc., and will be subject to oversight by the Commissioner.

Three organizations opposed listing the BCPCIO because, according to its own submission, it investigates "dishonest" activity (not breaches of an agreement) and because it collects victim information, rather than only information about suspects, as part of their investigation. On the first point, the Regulation only gives an investigative body the ability to disclose personal information when it has reasonable grounds to believe the information relates to a breach of an agreement. On the second point, it is difficult to conduct investigations without collecting at least some victim information.

The above organizations also expressed concern that the investigative bodies may be regarded as not-for-profit entities for the purposes of the Act, and, as such, not engaged in commercial activity. If so, they would not be subject to the Act. The investigative bodies will be subject to the Act since all the disclosures of personal information mentioned in the Regulation take place in the course of commercial activity. One of these organizations also questioned whether the investigative bodies regulation required redrafting to clarify that the listed bodies are the only ones that qualify. Redrafting on this point is unnecessary.

One commentator suggested that the "considerations" for investigative bodies should be identified as strict criteria, that applicants should be required to demonstrate that they could not function without the exception and that a public interest test be added. The "considerations" listed in the RIAS are the "criteria" employed.

The listed organizations made the case that they could not function without being specified in the Regulation and also that it was in the public interest that they be allowed to function as investigative bodies to combat fraud.

One organization stated that it did not want the investigative body regulation to derogate from their right to disclose without consent as may be authorized by other federal legislation. Whatever prior arrangements an organization may have had with law enforcement agencies, it will have to conduct its affairs in accordance with the Act when it comes into force since the Act generally takes precedence (subsection 4(3)) over existing legislation. Organizations may disclose to law enforcement agencies in accordance with subparagraphs 7(3)(c.1)(i), (ii) and paragraph (d) of the Act.

One organization suggested that disclosures to professional, regulatory, disciplinary bodies (e.g., College of Dental Surgeons, Insurance Councils) for investigative activities be included in the next round of regulations. The question of the applicability of the Act to the investigative functions of these organizations will be studied and, if necessary, they could be added to the Regulation as investigative bodies.

Finally, an organization suggested that licensed private investigators be listed as investigative bodies, at least on an interim basis, and that the Act be amended to permit other types of investigations to proceed without having to obtain the consent of the individual (e.g., background checks). Industry Canada is currently working with a number of organizations and associations who are assessing whether they need to apply for status as an investigative body, including the private investigators. As regards amendments to permit other types of investigations to be recognized, they can be considered in the future.

Compliance and Enforcement

Individuals may make complaints about the practices of an organization to the Privacy Commissioner of Canada who will investigate the matter and deliver a report to the parties. The Commissioner may make recommendations to an organization concerning its practices and whether they are considered to comply with Part 1 of the Act but the Commissioner does not have the power to issue binding orders on the organization. The individual or the Privacy Commissioner, or both acting together, may take unresolved complaints to the Federal Court of Canada which has the power to order an organization to change a practice and to pay damages to the individual.

Contact

Mr. Richard Simpson

Director General

Electronic Commerce Branch

Industry Canada

300 Slater Street

Room D2090

Ottawa, Ontario

K1A 0C8

Tel.: (613) 990-4292

FAX: (613) 941-0178

E-mail: simpson.richard@ic.gc.ca

Registration

Top of page SOR/2001-7 13 December, 2000

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Regulations Specifying Publicly Available Information

P.C. 2000-1777 13 December, 2000

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(1)(a.1) of the Personal Information Protection and Electronic Documents Act (<Reference a> S.C. 2000, c. 5) hereby makes the annexed Regulations Specifying Publicly Available Information.

REGULATIONS SPECIFYING PUBLICLY AVAILABLE INFORMATION

INFORMATION

1. The following information and classes of information are specified for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Personal Information Protection and Electronic Documents Act:

(a) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;

(b) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;

(c) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;

(d) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and

(e) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

COMING INTO FORCE

2. These Regulations come into force on January 1, 2001.

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Description

Part 1 of the Personal Information Protection and Electronic Documents Act establishes rules to govern the collection, use and disclosure of personal information by organizations in the course of commercial activity. The legislation requires an organization, which is collecting, using or disclosing personal information, to obtain the individual's consent in most circumstances. Exceptions to this rule are found in paragraphs 7(1)(d), (2)(c.1) or (3)(h.1) of the Act which permit the collection, use and disclosure of personal information, without the knowledge or consent of the individual, if the information is publicly available and is specified by the Regulations. The purpose of this Regulation is to specify what information and classes of information is publicly available information for the purposes of paragraphs 7(1)(d), (2)(c.1) and (3)(h.1) of the Act.

The basic premise underlying this Regulation is that the collection, use and disclosure of publicly available personal information for commercial purposes should be subject to the same fair information practices as are required by the Act for all other personal information. As a rule, individuals are able to decide for themselves with whom they will share personal information and under what circumstances. However, some personal information enters into the public sphere through a variety of channels, often without the knowledge or consent of the individual. Examples include personal information that appears in telephone or other directories, public registries maintained by governments, public court records or that is published in the media. This personal information is made public for a specific and primary purpose, e.g., individuals allow their name, address and telephone number to appear in the telephone or other directories to enable others to contact them for personal reasons, to enable potential clients to reach them in their professional capacity or to enable others to verify their title, membership or professional qualifications. Some government registries such as land titles, personal property, municipal property tax rolls, are open to the public to promote longstanding public policy purposes. Public access is permitted to some court records to facilitate transparency in the justice system, while other personal information is placed in publications to publicize specific information about the individual (e.g., birth and marriage announcements).

Privacy concerns arise because more information is sometimes collected in public registries (many of which were created in an era when privacy concerns were not fully considered) than is required for the fulfilment of the primary purpose. Other concerns relate to the manner in which the information is made publicly available, e.g., whether there are any controls or limitations placed on who may collect and use it and how (increasingly access is possible to an electronic record rather than to the traditional hard copy. Internet access is more common as well.). The fact that individuals have continuing expectations of privacy for some publicly available personal information is seldom addressed. Another privacy issue is the growing use that commercial organizations make of this information for purposes that often have nothing to do with the primary purpose for which the information was made public, i.e., to contact individuals and offer them products or services. There is also an increasing tendency to collect and use publicly available information to create comprehensive personal profiles of the individual, including their consumption habits, lifestyles and personal histories for a variety of other purposes, including employment decisions. Many, if not most, of these secondary uses are presently carried out without the knowledge or consent of the individual. A final issue is that, with few rules to govern publicly available personal information, organizations have little incentive to consider obtaining consent from the individual.

The Regulation will permit one exception from fair information practices by allowing commercial organizations to collect, use and disclose certain personal information without consent. The Regulation is based on a recognition that some personal information is publicly available for a legitimate primary purpose, often with the individual's tacit agreement (e.g., the telephone directory, announcements). In these circumstances, it is reasonable to allow organizations to collect, use and disclose this information without adding the requirement to obtain consent. To require an organization to obtain consent to use this information for its primary purpose would not contribute to the protection of the individual's privacy, would add to the organization's costs and could frustrate some public policy purpose. However, it is also reasonable to insist that any purpose other than the primary one should be subject to the consent requirement. This approach is consistent with Principle 2 of Schedule 1 of the Act (clause 4.2.4) which states that a new purpose requires consent unless required by law. Using the criteria of consistency with the primary purpose or tacit consent as the basis for the Regulation of publicly available personal information strikes the appropriate balance between the individual's right of privacy and the business need for information. Organizations will remain responsible for compliance with all other requirements of the Act for this information, including the appropriate purpose requirement in subsection 5(3) and will be subject to oversight by the Privacy Commissioner of Canada and the ability of individuals to seek redress in the Federal Court of Canada.

Part 1 of the Act will be implemented in two stages. On January 1, 2001, it will apply to the personal information of the customers and employees of the federally regulated private sector, including telephone and transportation companies, broadcasters, and banks. It will also apply to organizations that sell personal information across provincial borders, e.g., companies selling or renting mailing lists. On January 1, 2004, the Act will apply to all personal information collected, used or disclosed in the course of commercial activity. Due to the phased introduction of the legislation and the fact that it is new to the private sector, it is expected that additions or amendments to the Regulation may be necessary. For this reason, the Department will continue to consider suggestions on a case by case basis in the future.

Alternatives

The legislative framework in Part 1 of the Act requires that publicly available information be specified in the Regulations. There are no alternatives to deal with the collection, use and disclosure of this information without consent.

Benefits and Costs

Benefits

The total growth of electronic commerce on the Internet is expected to increase from $195 billion (Cdn) in 1999 to $2.8 trillion (Cdn) in 2003. By developing the proper framework, Canada could capture a market share of $94 billion (Cdn) in 2003, leading to new business opportunities and job creation to the benefit of all Canadians. By enacting the Personal Information Protection and Electronic Documents Act and this Regulation, the government is putting in place one of the essential foundations of electronic commerce which will promote its acceptance and growth. The effect of the Act and Regulation will be to build trust in electronic commerce by providing individuals with assurance of protection for their personal information. The Regulation will also create a level playing field for business with clear, predictable rules for all. It will work to encourage on-line connectedness of Canadians - to each other, to business and to the federal government. Consumers and business will be able to conduct their on-line transactions with the confidence that privacy protection measures are in place and that they will be overseen by the Privacy Commissioner.

The legislation and Regulation have been designed to be light and flexible for businesses to implement. Its principles are taken from the CSA International's Model Code for the Protection of Personal Information, developed and recognized by both businesses and consumers as a standard for privacy protection. Organizations will incur some implementation costs but the benefits of increased sales through the growth of electronic commerce transactions will more than compensate.

The Regulation will have no impact on Department resources.

Consultation

Consultations leading to this legislation began in October 1994 with the establishment of the Information Highway Advisory Council, which released a discussion paper entitled "Privacy and the Canadian Information Highway". In 1998 the government issued a discussion paper entitled "The Protection of Personal Information: Building Canada's Information Economy and Society". Bill C-54 (the precursor to Bill C-6) was introduced on October 1, 1998 and received extensive hearings before the Standing Committee on Industry. The bill was subsequently re-introduced as Bill C-6 and received extensive public hearings before the Standing Senate Committee on Social Affairs, Science and Technology.

Subsequent to the Bill's receiving Royal Assent on April 13, 2000, Industry Canada had discussions with interested parties, including representatives of the insurance, credit reporting, telephone, banking, information technology, direct marketing, real estate, cable television, retail sale, as well as private investigators, internet service providers, the Canadian Chamber of Commerce and other business associations. Consumer and privacy organizations, the provincial and territorial privacy commissioners, the members of the Federal-Provincial-Territorial discussion group on privacy legislation and the Treasury Board of Canada were included in these discussions. Consultations were also undertaken with the federal Privacy Commissioner.

Following the publication of the draft Regulation in the Canada Gazette, Part I, the following comments were received (they are grouped according to the five categories of information listed in the Regulation).

Telephone Directories

One association pointed out that the exception for the telephone directory is based on the individual's ability to refuse to appear in the directory but that the refusal can only be exercised by paying for an unlisted number (this is a condition set by several of the telephone companies). They argued that this fee was an economic barrier to lower income people who may not wish to be listed but who cannot afford to exercise their right to refuse and suggested adding "without incurring any cost for such refusal". While this point may have validity from an access to services perspective, the use of fees is not specifically a protection of privacy issue.

An organization questioned whether the term "telephone directory" included information from Directory Assistance or from online telephone directories that also provide the individual with a right of refusal to appear in the directory. The intention is to include such directories in the Regulation.

Two organizations suggested adding e-mail and fax numbers to the list of permitted data elements in the Regulation. These items cannot be added because they do not appear in the white page telephone directories. An organization suggested that a telephone directory should include "internet directories" and questioned how organizations would verify that secondary directories contained only individuals who have had the opportunity to refuse to be listed. The Regulation defines "directory" in terms of a list of subscribers. Other directories, including those published on the internet, would only qualify for the exemption if they are based on a telephone subscriber directory.

Two organizations opposed the absence of a purpose limitation for telephone directories. The decision not to place a purpose limitation on the telephone directory is based on a recognition that some personal information (e.g., the telephone directory) is publicly available with the individual's tacit agreement for the purpose of enabling others to contact the individual.

A province suggested adding a second ability to opt-out of the use of telephone directory information for secondary purposes by third parties. The second opt-out is impractical in this instance, however, since it would be impossible for secondary publishers or third party users of the directory to know whether or not the individual had exercised the second opt-out.

Professional or Business Directory

An organization suggested that the category of "professional and business directory" should include "listing or notice" and should include among the permitted data elements "qualifications or certifications". Consistent with this argument, changes to the wording of the Regulation now make it clear that listings and notices are included under the category of professional or business directory. As regards the permitted data elements, the term "including" was deliberately used to ensure that items such as "qualifications or certifications" would be captured.

Two organizations raised the issue of whether "professional/business information" about an individual should be considered as personal information and noted that employee information is excluded from the definition of personal information. Employee information was excluded from the definition so as not to hamper routine data gathering (employee nominative data is necessary for day to day commerce). Distinguishing between an individual's professional or business information and their personal information is more difficult and raises policy issues. Any change to the definition of personal information will require an amendment to the Act.

An organization noted that the purpose of many professional and business directories is not explicitly stated and wondered how organizations will be able to verify the purpose when collecting the information. They suggested that, when no purpose is stated, the organization should be allowed to make a reasonable assumption about the purpose. Organizations can do so by referring to the appropriate purpose test in subsection 5(3) of the Act.

An association expressed concern that the term "including" would allow other unspecified data elements to be used without consent, that no consent is required for subsequent uses, that "professional or business directory" is not defined and could be considered to include electronic data bases which allow searches on many fields. On these points, the wording was deliberately chosen so as not to omit some of the information that might be found in a particular directory and because many professional directories require individuals to be listed. As regards the format of the directory, the use of the information is controlled via the reference to purpose and the format is thus irrelevant. The association also suggested that the purpose for "appearing" in the directory and the purpose of the original "collection" could be defined differently by publishers who could then offer the information to organizations for secondary purposes simply by stating that these secondary purposes were the reason why the information appeared in their directory. Such a scenario should not occur since the original purpose for appearing in the directory, which allows for collection, use and disclosure of the information without consent under the Regulation, carries forward to the secondary publishers who are bound by it. Individuals listed in the directory are also in a position to influence the original purpose for appearing in a professional directory because they are members of the professional association that publishes it. A similar restriction to original purpose applies to a business directory derived from a public registry (e.g., directors of corporations listed under securities disclosure legislation). In addition, all purposes remain subject to the appropriate purposes test set out in subsection 5(3) of the Act, and a secondary purpose could be challenged by an individual on that basis.

Two associations suggested that Industry Canada publish guidelines to clarify what purposes are considered to qualify for exemption and explicitly state that marketing is not related directly to the purpose of professional directories. The intention of the Regulation, however, is not to define the purpose for making information publicly available - this is the responsibility of the associations that maintain them.

Public Registries

Several commentators, including a province, suggested substituting phrases such as "permitted or authorized" in place of "required by law". In order to better reflect the actual wording of many of the statutes which create public registries, a change has been made to substitute "authorized" for "required by law". The new wording better corresponds with the statutory language of public registries, thereby ensuring consistency with the Regulation. A province also suggested substituting the phrase "in accordance with a program conducted under a statutory mandate" for "under a statutory authority". The change is viewed as unnecessary since the latter phrase includes public registries that are indirectly created by statute as programs.

A province raised the issue of providing guidance to organizations as to how to ascertain the purpose of placing information in a public registry and suggested adding "as recognized in policies, agreements, or other publicly stated mechanisms" to the phrase "relate directly to the purpose for which the information appears in the registry". Industry Canada considers this to be a legitimate point and offers the following suggestions to assist organizations in making this determination. In the first instance, the statute may state the purpose explicitly, or implicitly in its language. Alternatively, the custodian may define the purpose by a policy statement, by the terms and conditions of collection, use and disclosure set out by the custodian in contract, regulation, etc. The purpose may also be found in a description contained in publications required under freedom of information legislation which identify all government information holdings.

A number of commentators suggested substituting phrases such as "consistent with", "not incompatible with", "related to", "relate to the purpose or purposes or for a consistent purpose" for "relate directly" arguing that the latter may be interpreted too narrowly. One organization suggested substituting the expression "directly related to the purpose" with "consistent purpose" defined as a use or disclosure that the individual to whom it relates might reasonably expect. In comparison to the alternatives suggested, "directly related to the purpose" appears to provide the clearest wording to use as the test for secondary purposes. Moreover, the addition of "reasonably expect" is unnecessary as the Act already contains such a qualification in subsection 5(3).

Several commentators suggested that "purpose" should be changed to "purposes" to reflect the fact that there may be more than one purpose for making the information public. The term "purpose" includes the plural for the purposes of interpretation.

One organization questioned whether "public registry" included electronic databases. That is the intention.

One organization suggested that the proposed wording distinguishes between public access to information about an individual and public access to the entire registry and argued that the Regulation would only allow access to a particular individual's information, but would not allow bulk access to the information of all individuals in the registry. The correct interpretation of the Regulation would allow bulk access without consent provided it relates to the purpose or purposes for which the information appears in the registry.

An organization suggested Industry Canada issue guidelines concerning what are the permitted and proscribed uses of specific databases. The intention of the Regulation, however, is not to define the purpose for making information publicly available - this is the responsibility of the governments or authorities that maintain them.

Court Records

Several organizations questioned whether "court record" included the records of boards of inquiries, tribunals, and the disciplinary hearings of professional bodies. The expression "court record" has been replaced with the expression "record or documents of a judicial or quasi-judicial body" to clarify that the public records of such bodies are included for the purposes of the Regulation.

A province suggested adding "or court record data base as recognized in policies, agreements, or other publicly stated mechanisms" to the phrase "relate directly to the purpose for which the information appears in the registry" in order to provide guidance to organizations as to how to ascertain the purpose for which a record or document of a judicial or quasi-judicial body are made publicly available. It will be possible to ascertain the purpose from any specific statements by the court concerning public access to the records of the matter or which derive from the general purpose of promoting transparency and the perception of fairness in the justice system. In addition, an organization can refer to the appropriate purposes test set out in subsection 5(3) of the Act and decide whether its purpose meets that test.

One commentator suggested that the Regulation will limit access to court information but this should not occur since access without consent for the primary purpose is allowed. Another commentator suggested removing the purpose limitation from court records since there is no clear statement of the purpose for which court records are made publicly available. A third commentator suggested removing the reference to "court records" entirely since the restriction via purpose is too broad and will not be strong enough to limit secondary uses, especially as more court records are made available in electronic form. It is consistent with the Act and important to include a reference to "court records" in the Regulation. Failing to do so would leave organizations fully subject to the requirement to obtain the individual's consent for any collection use or disclosure of personal information in a court record or document, which could limit access to such records. The suggestion to waive any restriction on the commercial use of personal information in court records was supported by a commentator who applauded the effort to bring privacy considerations into a court's decisions as to what information to make publicly available. The approach taken in the regulation may encourage the courts or other authorities to take into consideration privacy concerns in making decisions about the extent of public access to particular court records (especially those to which internet access is available). In addition, an organization can refer to the appropriate purposes test set out in subsection 5(3) of the Act and decide whether its purpose meets that test.

One commentator suggested adding a sixth category of information to the Regulation - "where the court or tribunal allows the decision, judgment, or order to be made publicly available" in order to allow lawyers and publishers to make full use of precedents. The current wording of the Regulation allows this activity to occur.

Publications

Several organizations questioned why the examples of publications "a magazine, book, or newspaper" were drawn from traditional rather than electronic media and whether "publication" included internet media. To clarify this point, the words "in printed or electronic form" have been added to the term "publication".

A number of commentators stated that it may be difficult to determine from the context whether the individual has provided information to a publication. Suggestions to remedy this difficulty included giving a broad interpretation which would include, e.g., a speech, changing "where the individual has provided the information" to "where it is reasonable to infer that the individual has provided the information". This change is unnecessary since the inference can be made by appealing to the appropriate purpose test in subsection 5(3) of the Act. Questions were also raised about how an organization could be sure that the individual had provided the information for obituaries, birth and surprise party announcements. Organizations should be able to infer from the context of most announcements and notices whether or not the individual in fact provided the information. If an organization is in doubt, it should not collect the information without consent.

One organization suggested the Regulation is too restrictive and may interfere with freedom of expression, e.g., clipping services, indexes. However, these activities fall under the journalistic exclusion in the Act.

General Comments

One organization suggested adding a new category of "all publicly available information where disclosure is made to any organization for journalistic, artistic or literary purposes" to ensure that organizations are not restricted in their collections for journalistic purposes. This change is unnecessary since any collection for such purposes is excluded from the scope of the Act via paragraph 4(2)(c).

An association suggested adding "primary" to the reference to purpose in all categories except telephone directories. The change is viewed as unnecessary since this point is expressed by the language in the Regulation, i.e., "for which the information appears".

One province objected to the application of the legislation to provincially regulated organizations, and to the restrictions imposed on publicly available information by the Regulation. The Regulation is consistent with the purpose of the Act which relates to the collection, use and disclosure of personal information in the course of commercial activity.

Compliance and Enforcement

Individuals may make complaints about the practices of an organization to the Privacy Commissioner of Canada who will investigate the matter and deliver a report to the parties. The Commissioner may make recommendations to an organization concerning its practices and whether they are considered to comply with Part 1 of the Act but the Commissioner does not have the power to issue binding orders on the organization. The individual or the Privacy Commissioner, or both acting together, may take unresolved complaints to the Federal Court of Canada which has the power to order an organization to change a practice and to pay damages to the individual.

Contact

Mr. Richard Simpson

Director General

Electronic Commerce Branch

Industry Canada

300 Slater Street

Room D2090

Ottawa, Ontario

K1A 0C8

Tel.: (613) 990-4292

FAX: (613) 941-0178

E-mail: simpson.richard@ic.gc.ca

Registration

Top of page SOR/2001-8 13 December, 2000

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Order Binding Certain Agents of Her Majesty for the Purposes of Part 1 of the Personal Information Protection and Electronic Documents Act

P.C. 2000-1778 13 December, 2000

Her Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(a) of the Personal Information Protection and Electronic Documents Act (<Reference a> S.C. 2000, c. 5) hereby makes the annexed Order Binding Certain Agents of Her Majesty for the Purposes of Part 1 of the Personal Information Protection and Electronic Documents Act.

ORDER BINDING CERTAIN AGENTS OF HER MAJESTY FOR THE PURPOSES OF PART 1 OF THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

APPLICATION

1. Part 1 of the Personal Information Protection and Electronic Documents Act is binding on the following agents of Her Majesty in right of Canada to which the Privacy Act does not apply:

(a) Atomic Energy of Canada Limited;

(b) the Canadian Broadcasting Corporation;

(c) the Enterprise Cape Breton Corporation.

COMING INTO FORCE

2. This Order comes into force on January 1, 2001.

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Order.)

Description

Part 1 of the Personal Information Protection and Electronic Documents Act applies to every organization that collects, uses and discloses personal information in the course of commercial activity. It does not apply to government institutions that are subject to the federal Privacy Act. The Act allows the Governor in Council, by Order, to bind any agent of Her Majesty in right of Canada to which the Privacy Act does not apply. Three such agencies have been identified - Atomic Energy of Canada Limited, the Canadian Broadcasting Corporation, and Enterprise Cape Breton Corporation. The purpose of this Regulation is to make Part 1 binding on these three organizations.

Alternatives

There are no alternatives to bring commercial crown corporations that are not subject to the Privacy Act under the Personal Information Protection and Electronic Documents Act.

Benefits and Costs

Benefits

The Regulation will ensure that all organizations engaged in commercial activity are subject to privacy legislation and that a level playing field exists for all.

The legislation and Regulations have been designed to be light and flexible for businesses to implement. Its principles are taken from the CSA International's Model Code for the Protection of Personal Information, developed and recognized by both businesses and consumers as a standard for privacy protection. Organizations will incur some implementation costs but the benefits from the growth of electronic commerce will more than compensate.

The Regulation will have no impact on Department resources.

Consultation

Industry Canada wrote to the three organizations in June 2000 to advise them of the intention to bind them to Part 1 of the Act and none raised any concerns.

Compliance and Enforcement

Individuals may make complaints about the practices of an organization to the Privacy Commissioner of Canada who will investigate the matter and deliver a report to the parties. The Commissioner may make recommendations to an organization concerning its practices and whether they are considered to comply with Part 1 of the Act but the Commissioner does not have the power to issue binding orders on the organization. The individual or the Privacy Commissioner, or both acting together, may take unresolved complaints to the Federal Court of Canada which has the power to order an organization to change a practice and to pay damages to the individual.

Contact

Mr. Richard Simpson

Director General

Electronic Commerce Branch

Industry Canada

300 Slater Street

Room D2090

Ottawa, Ontario

K1A 0C8

Tel.: (613) 990-4292

FAX: (613) 941-0178

E-mail: simpson.richard@ic.gc.ca
 

Date published: 2003-11-18
Date modified: 2004-04-01

 Top of Page Important Notices