EXPLANATORY NOTE
The Bill enacts the Personal Information Protection Act, 2018. The major elements of the Bill are described below.
Part I (Introductory Provisions)
Part I sets out the definitions, purpose and application of the Act. The Act applies to every organization, which is defined as including persons, unincorporated associations and other organizations but does not include certain individuals, public bodies and Ontario courts.
The Act does not apply to personal information that is already subject to certain information protection statutes, including the Freedom of Information and Protection of Privacy Act. It also doesn't apply in many other circumstances, such as the collection, use or disclosure of personal information for personal, domestic, journalistic, artistic or literary purposes.
Part II (General Rules Respecting Protection of Personal Information by Organizations)
Part II sets out the general responsibilities for organizations with respect to personal information.
Part III (Consent)
Part III prohibits organizations from collecting, using or disclosing personal information. This doesn't apply if the individual consents or if the Act otherwise authorizes the collection, use or disclosure of the information.
The Part sets out rules for the provision of consent, implicit consent and the withdrawal of consent.
Part IV (Collection of Personal Information)
Part IV sets out requirements before an organization collects personal information. It also sets out limitations on the collection of personal information and governs situations in which personal information may be collected without consent.
Part V (Use of Personal Information)
Part V sets out limitations on the use of personal information. It also governs situations in which personal information may be used without consent.
Part VI (Disclosure of Personal Information)
Part VI sets out limitations on the disclosure of personal information. It also governs situations in which personal information may be disclosed without consent. These situations include disclosure during the sale of an organization or its business assets or for research, statistical, archival or historical purposes.
Part VII (Access to and Correction of Personal Information)
Part VII allows individuals to access personal information under the control of organizations and provides them a right to request corrections of errors or omissions in the information.
Part VIII (Administration)
Part VIII sets out the procedure for making requests to access or correct personal information.
Part IX (Care of Personal Information)
Part IX sets out organizations' responsibilities to ensure the accuracy of personal information and to protect and retain it.
Part X (Role of Commissioner)
Part X sets out the role of the Information and Privacy Commissioner under the Act. The Commissioner is responsible for monitoring how the Act is administered and ensuring that its purposes are achieved. The Commissioner has a number of powers to achieve this goal.
The Commissioner establishes an advisory committee to advise him or her on personal information requests made by law enforcement in relation to personal information held by private enterprises.
The Commissioner has the power to authorize organizations to disregard requests to access or correct personal information in certain circumstances.
The Commissioner's powers to initiate investigations and audits is set out. The procedure for hearings and proceedings with the Commissioner is set out. A failure or refusal to cooperate with certain orders of the Commissioner may make persons liable to be committed for contempt as if in breach of an order or judgment of the court.
The Commissioner is required to report to the Speaker of the Legislative Assembly on his or her work under the Act. The Speaker shall lay the annual report before the Legislative Assembly as soon as possible.
Part XI (Reviews and Orders)
Part XI sets out the procedure for asking the Commissioner to conduct a review of an organization's decision regarding a request for access to or the correction of an individual's personal information. The Commissioner may make orders after completing an inquiry to effect all or part of the request.
Part XII (General Provisions)
Part XII sets out protections for employees and non-retaliation provisions. It also sets out a general offence provision and provides for damages for breaches of the Act.
The Lieutenant Governor in Council is given a number of regulation-making powers under the Act.
Within three years after January 1, 2019, a special committee of the Legislative Assembly must begin a comprehensive review of the Act and submit their report to the Legislative Assembly within one year after the date of the appointment of the special committee. This review must be repeated at least once every six years.
Bill 14 2018
An Act with respect to the custody, use and disclosure of personal information
contents
PART I |
|
Definitions |
|
Purpose |
|
Application |
|
PART II |
|
Compliance with Act |
|
Policies and practices |
|
PART III |
|
Prohibitions |
|
Provision of consent |
|
Implicit consent |
|
Withdrawal of consent |
|
PART IV |
|
Required notification for collection of personal information |
|
Limitations on collection of personal information |
|
Collection of personal information without consent |
|
Collection of employee personal information |
|
PART V |
|
Limitations on use of personal information |
|
Use of personal information without consent |
|
Use of employee personal information |
|
PART VI |
|
Limitations on disclosure of personal information |
|
Disclosure of personal information without consent |
|
Disclosure of employee personal information |
|
Transfer of personal information in the sale of an organization or its business assets |
|
Disclosure for research or statistical purposes |
|
Disclosure for archival or historical purposes |
|
PART VII |
|
Access to personal information |
|
Right to request correction of personal information |
|
PART VIII |
|
Definition |
|
Circumstances in which request may be made |
|
How to make a request |
|
Duty to assist individual |
|
Time limit for response |
|
Content of response |
|
Extending the time limit for response |
|
Fees |
|
PART IX |
|
Accuracy of personal information |
|
Protection of personal information |
|
Retention of personal information |
|
PART X |
|
General powers of Commissioner |
|
Advisory committee |
|
Power to authorize organization to disregard requests |
|
Powers of Commissioner in conducting investigations, audits or inquiries |
|
Maintenance of order at hearings |
|
Contempt proceeding for uncooperative person |
|
Evidence in proceedings |
|
Protection against libel or slander actions |
|
Restrictions on disclosure of information by Commissioner and staff |
|
Protection of Commissioner and staff |
|
Delegation by Commissioner |
|
Annual report of Commissioner |
|
PART XI |
|
Definitions |
|
Asking for a review |
|
How to ask for a review or make a complaint |
|
Notifying others of review |
|
Mediation may be authorized |
|
Inquiry by Commissioner |
|
Burden of proof |
|
Commissioner's orders |
|
Duty to comply with orders |
|
PART XII |
|
Protection |
|
Non-retaliation |
|
Offences and penalties |
|
Damages for breach of Act |
|
Regulations |
|
Review of Act |
|
Commencement |
|
Short title |
Her Majesty, by and with the advice and consent of the Legislative Assembly of the Province of Ontario, enacts as follows:
Part I
Introductory Provisions
Definitions
1 In this Act,
"business day" does not include a holiday or a Saturday; ("jour ouvrable")
"Commissioner" means the Information and Privacy Commissioner appointed under the Freedom of Information and Protection of Privacy Act; ("commissaire")
"contact information" means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual; ("coordonnées")
"credit report" means a written, oral or other communication regarding credit information of an individual; ("dossier de crédit")
"credit reporting agency" means a person, whether in Ontario or not, who,
(a) provides credit reports for gain or profit,
(b) provides credit reports on a routine, non-profit basis as an ancillary part of a business carried on for gain or profit, or
(c) is prescribed; ("agence de renseignements sur le crédit")
"document" includes,
(a) a thing on or by which information is stored, and
(b) a document in electronic or similar form; ("document")
"domestic" means related to home or family; ("familial")
"employee" includes a volunteer; ("employé")
"employee personal information" means personal information about an individual that is collected, used or disclosed solely for the purposes reasonably required to establish, manage or terminate an employment relationship between the organization and that individual, but does not include personal information that is not about an individual's employment; ("renseignements personnels sur un employé")
"employment" includes working under an unpaid volunteer work relationship; ("emploi")
"investigation" means an investigation related to,
(a) a breach of an agreement,
(b) a contravention of a statute or regulation of Canada or a province,
(c) a circumstance or conduct that may result in a remedy or relief being available under a statute or regulation, under the common law or in equity,
(d) the prevention of fraud, or
(e) a contravention of the Securities Act; ("enquête")
"organization" includes a person, an unincorporated association, a trade union, a trust or a not for profit organization, but does not include,
(a) an individual acting in a personal or domestic capacity or acting as an employee,
(b) a public body, or
(c) a court of Ontario; ("organisation")
"personal information" means information about an identifiable individual and includes employee personal information but does not include,
(a) contact information, or
(b) work product information; ("renseignements personnels")
"prescribed" means prescribed by the regulations; ("prescrit")
"private enterprise" means a corporation, company, business, individual, or any other private entity providing a service in which personal data is collected or stored from a customer; ("entreprise privée")
"proceeding" means a civil, a criminal or an administrative proceeding that is related to the allegation of,
(a) a breach of an agreement,
(b) a contravention of a statute or regulation of Canada or a province, or
(c) a wrong or a breach of a duty for which a remedy is claimed under a statute or regulation, under the common law or in equity; ("instance")
"public body" means
(a) a ministry of the government of Ontario,
(b) a municipality in Ontario,
(c) a local board, as defined in the Municipal Act, 2001, of a municipality in Ontario,
(d) any other authority, board, commission, corporation, office or organization of persons some or all of whose members, directors or officers are appointed or chosen by or under the authority of a municipality in Ontario,
(e) a board as defined in the Education Act,
(f) a district social services administration board established under the District Social Services Administration Boards Act, or
(g) any other prescribed person or entity; ("organisme public")
"regulations" means the regulations made under this Act; ("règlements")
"work product information" means information prepared or collected by an individual or group of individuals as a part of the individual's or group's responsibilities or activities related to the individual's or group's employment or business but does not include personal information about an individual who did not prepare or collect the personal information. ("renseignements sur le produit du travail")
Purpose
2 The purpose of this Act is to,
(a) govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances; and
(b) protect the privacy of individuals' personal information held by private enterprises when it is in the interest of the safety and security of individuals, infrastructure, the public, Ontario or Canada.
Application
3 (1) Subject to this section, this Act applies to every organization.
Exception
(2) This Act does not apply to,
(a) the collection, use or disclosure of personal information, if the collection, use or disclosure is for the personal or domestic purposes of the individual who is collecting, using or disclosing the personal information and for no other purpose;
(b) the collection, use or disclosure of personal information, if the collection, use or disclosure is for journalistic, artistic or literary purposes and for no other purpose;
(c) the collection, use or disclosure of personal information, if the Personal Information Protection and Electronic Documents Act (Canada) applies to the collection, use or disclosure of the personal information;
(d) personal information if the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act or the Personal Health Information Protection Act, 2004 applies to the personal information;
(e) personal information in,
(i) a court document,
(ii) a document of a judge of an Ontario court, or a document relating to support services provided to a judge of those courts,
(iii) a document of a master of an Ontario court, or
(iv) a document of a justice of the peace;
(f) personal information in a note, communication or draft decision of the decision maker in an administrative proceeding;
(g) the collection, use or disclosure by a member or officer of the Legislature of personal information that relates to the exercise of the functions of that member or officer;
(h) a document related to a prosecution if all proceedings related to the prosecution have not been completed; and
(i) the collection of personal information that has been collected on or before the day this Act comes into force.
Solicitor-client privilege
(3) Nothing in this Act affects solicitor-client privilege.
Parties to proceedings
(4) This Act does not limit the information available by law to a party to a proceeding.
Conflict with other legislation
(5) If a provision of this Act is inconsistent or in conflict with a provision of another statute, the provision of this Act prevails unless another Act expressly provides that the other statute, or a provision of it, applies despite this Act.
Part II
General Rules Respecting Protection of Personal Information by Organizations
Compliance with Act
4 (1) In meeting its responsibilities under this Act, an organization must consider what a reasonable person would consider appropriate in the circumstances.
Responsibility for information
(2) An organization is responsible for personal information under its control, including personal information that is not in the custody of the organization.
Designated individual
(3) An organization must designate one or more individuals to be responsible for ensuring that the organization complies with this Act.
Delegation
(4) An individual designated under subsection (3) may delegate to another individual the duty conferred by that designation.
Available to public
(5) An organization must make available to the public,
(a) the position name or title of each individual designated under subsection (3) or delegated under subsection (4); and
(b) contact information for each individual referred to in clause (a).
Policies and practices
5 An organization must,
(a) develop and follow policies and practices that are necessary for the organization to meet the obligations of the organization under this Act;
(b) develop a process to respond to complaints that may arise respecting the application of this Act; and
(c) make information available on request about,
(i) the policies and practices referred to in clause (a), and
(ii) the complaint process referred to in clause (b).
Part III
Consent
Prohibitions
6 (1) An organization must not,
(a) collect personal information about an individual;
(b) use personal information about an individual; or
(c) disclose personal information about an individual.
Exceptions
(2) Subsection (1) does not apply if,
(a) the individual gives consent to the collection, use or disclosure,
(b) this Act authorizes the collection, use or disclosure without the consent of the individual; or
(c) this Act deems the collection, use or disclosure to be consented to by the individual.
Provision of consent
7 (1) An individual has not given consent under this Act to an organization unless,
(a) the organization has provided the individual with the information required under subsection 10 (1); and
(b) the individual's consent is provided in accordance with this Act.
Not as condition
(2) An organization must not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service.
Invalid consent
(3) Any consent for collecting, using or disclosing personal information is not validly given if an organization attempts to obtain the consent by,
(a) providing false or misleading information respecting the collection, use or disclosure of the information; or
(b) using deceptive or misleading practices.
Implicit consent
8 (1) An individual is deemed to consent to the collection, use or disclosure of personal information by an organization for a purpose if,
(a) at the time the consent is deemed to be given, the purpose would be considered to be obvious to a reasonable person; and
(b) the individual voluntarily provides the personal information to the organization for that purpose.
Deemed consent
(2) An individual is deemed to consent to the collection, use or disclosure of personal information for the purpose of his or her enrolment or coverage under an insurance, pension, benefit or similar plan, policy or contract if he or she,
(a) is a beneficiary or has an interest as an insured under the plan, policy or contract; and
(b) is not the applicant for the plan, policy or contract.
Specified purposes
(3) An organization may collect, use or disclose personal information about an individual for specified purposes if,
(a) the organization provides the individual with a notice, in a form the individual can reasonably be considered to understand, that it intends to collect, use or disclose the individual's personal information for those purposes;
(b) the organization gives the individual a reasonable opportunity to decline within a reasonable time to have his or her personal information collected, used or disclosed for those purposes;
(c) the individual does not decline, within the time allowed under clause (b), the proposed collection, use or disclosure; and
(d) the collection, use or disclosure of personal information is reasonable having regard to the sensitivity of the personal information in the circumstances.
Not for different purpose
(4) Subsection (1) does not authorize an organization to collect, use or disclose personal information for a different purpose than the purpose to which that subsection applies.
Withdrawal of consent
9 (1) Subject to subsections (5) and (6), on giving reasonable notice to the organization, an individual may withdraw consent to the collection, use or disclosure of personal information about the individual at any time.
Inform of consequences
(2) On receipt of notice referred to in subsection (1), an organization must inform the individual of the likely consequences to the individual of withdrawing his or her consent.
No prohibition of withdrawal
(3) An organization must not prohibit an individual from withdrawing his or her consent to the collection, use or disclosure of personal information related to the individual.
If withdrawal
(4) Subject to section 35, if an individual withdraws consent to the collection, use or disclosure of personal information by an organization, the organization must stop collecting, using or disclosing the personal information unless the collection, use or disclosure is permitted without consent under this Act.
Exception
(5) An individual may not withdraw consent if withdrawing the consent would frustrate the performance of a legal obligation.
Credit reporting agency
(6) An individual may not withdraw a consent given to a credit reporting agency in the circumstances described in clause 12 (1) (g) or 15 (1) (g).
Part IV
Collection of Personal Information
Required notification for collection of personal information
10 (1) On or before collecting personal information about an individual from the individual, an organization must disclose to the individual verbally or in writing,
(a) the purposes for the collection of the information; and
(b) on request by the individual, the position name or title and the contact information for an officer or employee of the organization who is able to answer the individual's questions about the collection.
Sufficient information
(2) On or before collecting personal information about an individual from another organization without the consent of the individual, an organization must provide the other organization with sufficient information regarding the purpose of the collection to allow that other organization to determine whether the disclosure would be in accordance with this Act.
Exception
(3) This section does not apply to a collection described in subsection 8 (1) or (2).
Limitations on collection of personal information
11 Subject to this Act, an organization may collect personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that,
(a) fulfill the purposes that the organization discloses under subsection 10 (1); or
(b) are otherwise permitted under this Act.
Collection of personal information without consent
12 (1) An organization may collect personal information about an individual without consent or from a source other than the individual, if,
(a) the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
(b) the collection is necessary for the medical treatment of the individual and the individual is unable to give consent;
(c) it is reasonable to expect that the collection with the consent of the individual would compromise the availability or the accuracy of the personal information and the collection is reasonable for an investigation or a proceeding;
(d) the personal information is collected by observation at a performance, a sports meet or a similar event,
(i) at which the individual voluntarily appears, and
(ii) that is open to the public;
(e) the personal information is available to the public from a prescribed source;
(f) the collection is necessary to determine the individual's suitability,
(i) to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or
(ii) to be selected for an athletic or artistic purpose;
(g) the organization is a credit reporting agency that collects the personal information to create a credit report and the individual consents at the time the original collection takes place to the disclosure for this purpose;
(h) the collection is required or authorized by law;
(i) the information was disclosed to the organization under sections 18 to 22;
(j) the personal information is necessary to facilitate,
(i) the collection of a debt owed to the organization, or
(ii) the payment of a debt owed by the organization;
(k) the personal information is collected for the purposes of the organization providing legal services to a third party and the collection is necessary for the purposes of providing those services; or
(l) the personal information is collected for the purposes of the organization providing services to a third party if,
(i) the third party is an individual acting in a personal or domestic capacity,
(ii) the third party is providing the information to the organization, and
(iii) the information is necessary for the purposes of providing those services.
Collection on behalf
(2) An organization may collect personal information from or on behalf of another organization without consent of the individual to whom the information relates, if
(a) the individual previously consented to the collection of the personal information by the other organization; and
(b) the personal information is disclosed to or collected by the organization solely,
(i) for the purposes for which the information was previously collected, and
(ii) to assist that organization to carry out work on behalf of the other organization.
Collection of employee personal information
13 (1) Subject to subsection (2), an organization may collect employee personal information without the consent of the individual.
Consent
(2) An organization may not collect employee personal information without the consent of the individual unless,
(a) section 12 allows the collection of the employee personal information without consent; or
(b) the collection is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.
Notice
(3) An organization must notify an individual that it will be collecting employee personal information about the individual and the purposes for the collection before the organization collects the employee personal information without the consent of the individual.
Employee personal information
(4) Subsection (3) does not apply to employee personal information if section 12 allows it to be collected without the consent of the individual.
Part V
Use of Personal Information
Limitations on use of personal information
14 Subject to this Act, an organization may use personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that,
(a) fulfill the purposes that the organization discloses under subsection 10 (1);
(b) for information collected before this Act comes into force, fulfill the purposes for which it was collected; or
(c) are otherwise permitted under this Act.
Use of personal information without consent
15 (1) An organization may use personal information about an individual without the consent of the individual, if,
(a) the use is clearly in the interests of the individual and consent cannot be obtained in a timely way;
(b) the use is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent;
(c) it is reasonable to expect that the use with the consent of the individual would compromise an investigation or proceeding and the use is reasonable for purposes related to an investigation or a proceeding;
(d) the personal information is collected by observation at a performance, a sports meet or a similar event,
(i) at which the individual voluntarily appears, and
(ii) that is open to the public;
(e) the personal information is available to the public from a prescribed source;
(f) the use is necessary to determine the individual's suitability,
(i) to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or
(ii) to be selected for an athletic or artistic purpose;
(g) the personal information is used by a credit reporting agency to create a credit report if the individual consented to the disclosure for this purpose;
(h) the use is required or authorized by law;
(i) the personal information was collected by the organization under clause 12 (1) (k) or (l) and is used to fulfill the purposes for which it was collected;
(j) the personal information was disclosed to the organization under sections 18 to 22;
(k) the personal information is needed to facilitate,
(i) the collection of a debt owed to the organization, or
(ii) the payment of a debt owed by the organization;
(l) a credit reporting agency is permitted to collect the personal information without consent under section 12 and the information is not used by the credit reporting agency for any purpose other than to create a credit report; or
(m) the use is necessary to respond to an emergency that threatens the life, health or security of an individual.
Same
(2) An organization may use personal information collected from or on behalf of another organization without the consent of the individual to whom the information relates, if,
(a) the individual consented to the use of the personal information by the other organization; and
(b) the personal information is used by the organization solely,
(i) for the purposes for which the information was previously collected, and
(ii) to assist that organization to carry out work on behalf of the other organization.
Use of employee personal information
16 (1) Subject to subsection (2), an organization may use employee personal information without the consent of the individual.
Same
(2) An organization may not use employee personal information without the consent of the individual unless,
(a) section 15 allows the use of the employee personal information without consent; or
(b) the use is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.
Notice
(3) An organization must notify an individual that it will be using employee personal information about the individual and the purposes for the use before the organization uses the employee personal information without the consent of the individual.
Exception
(4) Subsection (3) does not apply to employee personal information if section 15 allows it to be used without the consent of the individual.
Part VI
Disclosure of Personal Information
Limitations on disclosure of personal information
17 Subject to this Act, an organization may disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances and that,
(a) fulfill the purposes that the organization discloses under subsection 10 (1);
(b) for information collected before this Act comes into force, fulfill the purposes for which it was collected; or
(c) are otherwise permitted under this Act.
Disclosure of personal information without consent
18 (1) An organization may only disclose personal information about an individual without the consent of the individual, if
(a) the disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way;
(b) the disclosure is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent;
(c) it is reasonable to expect that the disclosure with the consent of the individual would compromise an investigation or proceeding and the disclosure is reasonable for purposes related to an investigation or a proceeding;
(d) the personal information is collected by observation at a performance, a sports meet or a similar event,
(i) at which the individual voluntarily appears, and
(ii) that is open to the public;
(e) the personal information is available to the public from a prescribed source;
(f) the disclosure is necessary to determine suitability,
(i) to receive an honour, award or similar benefit, including an honorary degree, scholarship or bursary, or
(ii) to be selected for an athletic or artistic purpose;
(g) the disclosure is necessary in order to collect a debt owed to the organization or for the organization to repay an individual money owed to them by the organization;
(h) the personal information is disclosed in accordance with a provision of a treaty that,
(i) authorizes or requires its disclosure, and
(ii) is made under a statute or regulation of Ontario or Canada;
(i) the disclosure is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body with jurisdiction to compel the production of personal information;
(j) the disclosure is to a public body or a law enforcement agency in Canada, concerning an offence under the laws of Canada or a province, to assist in an investigation, or in the making of a decision to undertake an investigation,
(i) to determine whether the offence has taken place, or
(ii) to prepare for the laying of a charge or the prosecution of the offence;
(k) there are reasonable grounds to believe that compelling circumstances exist that affect the health or safety of any individual and if notice of disclosure is mailed to the last known address of the individual to whom the personal information relates;
(l) the disclosure is for the purpose of contacting next of kin or a friend of an injured, ill or deceased individual;
(m) the disclosure is to a lawyer who is representing the organization;
(n) the disclosure is to an archival institution if the collection of the personal information is reasonable for research or archival purposes;
(o) the disclosure is required or authorized by law; or
(p) the disclosure is in accordance with sections 19 to 22.
Disclosure to organization
(2) An organization may disclose personal information to another organization without consent of the individual to whom the information relates, if,
(a) the individual consented to the collection of the personal information by the organization; and
(b) the personal information is disclosed to the other organization solely,
(i) for the purposes for which the information was previously collected, and
(ii) to assist the other organization to carry out work on behalf of the first organization.
Collection on behalf
(3) An organization may disclose personal information to another organization without consent of the individual to whom the information relates, if the organization was authorized by subsection 12 (2) to collect the personal information from or on behalf of the other organization.
Certain personal information
(4) An organization may disclose personal information to another organization, or to a public body, without consent of the individual to whom the information relates, if
(a) the personal information was collected by an organization under clause 12 (1) (k) or (l);
(b) the disclosure between the organizations, or between the organization and the public body, is for the purposes for which the information was collected;
(c) the disclosure is necessary for those purposes; and
(d) for each disclosure under this subsection, the third party referred to in clause 12 (1) (k) or (l), as applicable, consents to the disclosure.
Disclosure of employee personal information
19 (1) Subject to subsection (2), an organization may disclose employee personal information without the consent of the individual.
Consent
(2) An organization may not disclose employee personal information without the consent of the individual unless,
(a) section 18 allows the disclosure of the employee personal information without consent; or
(b) the disclosure is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.
Notice
(3) An organization must notify an individual that it will be disclosing employee personal information about the individual and the purposes for the disclosure before the organization discloses employee personal information about the individual without the consent of the individual.
Exception
(4) Subsection (3) does not apply to employee personal information if section 18 allows it to be disclosed without the consent of the individual.
Transfer of personal information in the sale of an organization or its business assets
Definitions
20 (1) In this section,
"business transaction" means the purchase, sale, lease, merger or amalgamation or any other type of acquisition, disposal or financing of an organization or a portion of an organization or of any of the business or assets of an organization; ("opération commerciale")
"party" means a person or another organization that proceeds with the business transaction. ("partie")
Disclosure without consent
(2) An organization may disclose personal information about its employees, customers, directors, officers or shareholders without their consent, to a prospective party if,
(a) the personal information is necessary for the prospective party to determine whether to proceed with the business transaction; and
(b) the organization and prospective party have entered into an agreement that requires the prospective party to use or disclose the personal information solely for purposes related to the prospective business transaction.
Conditions
(3) If an organization proceeds with a business transaction, the organization may disclose, without consent, personal information of employees, customers, directors, officers and shareholders of the organization to a party on condition that,
(a) the party must only use or disclose the personal information for the same purposes for which it was collected, used or disclosed by the organization;
(b) the disclosure is only of personal information that relates directly to the part of the organization or its business assets that is covered by the business transaction; and
(c) the employees, customers, directors, officers and shareholders whose personal information is disclosed are notified that,
(i) the business transaction has taken place, and
(ii) the personal information about them has been disclosed to the party.
Collection and use of personal information
(4) A prospective party may collect and use personal information without the consent of the employees, customers, directors, officers and shareholders of the organization in the circumstances described in subsection (2) if the prospective party complies with the conditions applicable to that prospective party under that subsection.
Same
(5) A party may collect, use and disclose personal information without the consent of the employees, customers, directors, officers and shareholders of the organization in the circumstances described in subsection (3) if the party complies with the conditions applicable to that party under that subsection.
Transaction does not proceed or is not completed
(6) If a business transaction does not proceed or is not completed, a prospective party must destroy or return to the organization any personal information the prospective party collected under subsection (2) about the employees, customers, directors, officers and shareholders of the organization.
Substantial assets of organization required in transaction
(7) This section does not authorize an organization to disclose personal information to a party or prospective party for purposes of a business transaction that does not involve substantial assets of the organization other than this personal information.
Same
(8) A party or prospective party is not authorized by this section to collect, use or disclose personal information that an organization disclosed to it in contravention of subsection (7).
Disclosure for research or statistical purposes
21 (1) An organization may disclose, without the consent of the individual, personal information for a research purpose, including statistical research, only if
(a) the research purpose cannot be accomplished unless the personal information is provided in an individually identifiable form;
(b) the disclosure is on condition that it will not be used to contact persons to ask them to participate in the research;
(c) linkage of the personal information to other information is not harmful to the individuals identified by the personal information and the benefits to be derived from the linkage are clearly in the public interest;
(d) the organization to which the personal information is to be disclosed has signed an agreement to comply with the following,
(i) this Act,
(ii) the policies and procedures relating to the confidentiality of personal information of the organization that collected the personal information,
(iii) security and confidentiality conditions,
(iv) a requirement to remove or destroy individual identifiers at the earliest reasonable opportunity,
(v) prohibition of any subsequent use or disclosure of that personal information in individually identifiable form without the express authorization of the organization that disclosed the personal information; and
(e) it is impracticable for the organization to seek the consent of the individual for the disclosure.
Exception, market research purposes
(2) Subsection (1) does not authorize an organization to disclose personal information for market research purposes.
Disclosure for archival or historical purposes
22 An organization may disclose, without the consent of the individual, personal information for archival or historical purposes if,
(a) a reasonable person would not consider the personal information to be too sensitive to the individual to be disclosed at the proposed time;
(b) the disclosure is for historical research and is in accordance with section 21;
(c) the information is about someone who has been dead for 20 or more years; or
(d) the information is in a record that has been in existence for 100 or more years.
Part VII
Access to and Correction of Personal Information
Access to personal information
23 (1) Subject to subsections (2) to (5), on request of an individual, an organization must provide the individual with the following:
1. The individual's personal information under the control of the organization.
2. Information about the ways in which the personal information referred to in paragraph 1 has been and is being used by the organization.
3. The names of the individuals and organizations to whom the personal information referred to in paragraph 1 has been disclosed by the organization.
Credit reporting agency
(2) An organization that is a credit reporting agency and that receives a request under subsection (1) must also provide the individual with the names of the sources from which it received the personal information unless it is reasonable to assume the individual can ascertain those sources.
Exceptions
(3) An organization is not required to disclose personal information and other information under subsection (1) or (2) in the following circumstances:
1. The information is protected by solicitor-client privilege.
2. The disclosure of the information would reveal confidential commercial information that if disclosed, could, in the opinion of a reasonable person, harm the competitive position of the organization.
3. The information was collected or disclosed without consent, as allowed under section 12 or 18, for the purposes of an investigation and the investigation and associated proceedings and appeals have not been completed.
4. The information was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he or she was appointed to act,
i. under a collective agreement,
ii. under a statute or regulation, or
iii. by a court.
5. The information is in a document that is subject to a solicitor's lien.
Same
(4) A credit reporting agency is not required to disclose the names of the individuals and organizations to whom the personal information was last disclosed by the agency in a credit report more than 12 months before the request under subsection (1) was made.
No disclosure in certain circumstances
(5) An organization must not disclose personal information and other information under subsection (1) or (2) in the following circumstances:
1. The disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request.
2. The disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request.
3. The disclosure would reveal personal information about another individual.
4. The disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity.
If information removable
(6) If an organization is able to remove the information referred to in subsection (5) or in paragraph 1, 2 or 3 of subsection (3) from a document that contains personal information about the individual who requested it, the organization must provide the individual with access to the personal information after the information referred to in subsection (5) or in paragraph 1, 2 or 3 of subsection (3) is removed.
Right to request correction of personal information
24 (1) An individual may request an organization to correct an error or omission in the personal information that is,
(a) about the individual; and
(b) under the control of the organization.
Implementation
(2) If an organization is satisfied on reasonable grounds that a request made under subsection (1) should be implemented, the organization must,
(a) correct the personal information as soon as reasonably possible; and
(b) send the corrected personal information to each organization to which the personal information was disclosed by the organization during the year before the date the correction was made.
No correction made
(3) If no correction is made under subsection (2), the organization must annotate the personal information under its control with the correction that was requested but not made.
Notice received
(4) When an organization is notified under subsection (2) of a correction of personal information, the organization must correct the personal information under its control.
Part VIII
Administration
Definition
25 In this Part, "applicant" means an individual who makes a request under section 27.
Circumstances in which request may be made
26 An individual may make a request of an organization as permitted under sections 23 or 24.
How to make a request
27 For an individual to obtain access to his or her personal information or to request a correction of his or her personal information, the individual must make a written request that provides sufficient detail to enable the organization, with a reasonable effort, to identify the individual and the personal information or correction being sought.
Duty to assist individual
28 An organization must make a reasonable effort,
(a) to assist each applicant;
(b) to respond to each applicant as accurately and completely as reasonably possible; and
(c) unless subsection 23 (3), (4) or (5) applies, to provide each applicant with,
(i) the requested personal information, or
(ii) if the requested personal information cannot be reasonably provided, with a reasonable opportunity to examine the personal information.
Time limit for response
29 (1) Subject to this section, an organization must respond to an applicant not later than,
(a) 30 business days after receiving the applicant's request; or
(b) the end of an extended time period if the time period is extended under section 31.
Same
(2) If an organization asks the Commissioner under section 38 for authorization to disregard a request, the 30 business days referred to in subsection (1) of this section does not include the period from the start of the day the request is made under section 38 to the end of the day a decision is made by the Commissioner with respect to that application.
Same
(3) If an applicant asks the Commissioner under section 49 to review a fee estimate, the 30 business days referred to in subsection (1) of this section does not include the period from the start of the day the applicant asks for the review to the end of the day the Commissioner makes a decision.
Content of response
30 (1) In a response under section 28, if access to all or part of the personal information requested by the applicant is refused, the organization must tell the applicant,
(a) the reasons for the refusal and the provision of this Act on which the refusal is based;
(b) the name, position title, business address and business telephone number of an officer or employee of the organization who can answer the applicant's questions about the refusal; and
(c) that the applicant may ask for a review under section 49 within 30 business days of being notified of the refusal.
Exception
(2) Despite clause (1) (a), the organization may refuse in a response to confirm or deny the existence of personal information collected as part of an investigation.
Extending the time limit for response
31 (1) An organization may extend the time for responding to a request under section 23 for up to an additional 30 business days or, with the Commissioner's permission, for a longer period if,
(a) the applicant does not give enough detail to enable the organization to identify the personal information requested;
(b) a large amount of personal information is requested or must be searched and meeting the time limit would unreasonably interfere with the operations of the organization; or
(c) more time is needed to consult with another organization or public body before the organization is able to decide whether or not to give the applicant access to a requested document.
If time extended
(2) If the time is extended under subsection (1), the organization must tell the applicant,
(a) the reason for the extension;
(b) the time when a response from the organization can be expected; and
(c) the rights of the applicant to complain about the extension and request that an order be made under paragraph 2 of subsection 55 (3).
Fees
32 (1) An organization must not charge an individual a fee respecting employee personal information concerning the individual.
Access to information other than employee personal information
(2) An organization may charge an individual who makes a request under section 23 a minimal fee for access to the individual's personal information that is not employee personal information concerning the individual.
Estimate and deposit
(3) If an individual is required by an organization to pay a fee for services provided to the individual to enable the organization to respond to a request under section 23, the organization,
(a) must give the applicant a written estimate of the fee before providing the service; and
(b) may require the applicant to pay a deposit for all or part of the fee.
Part IX
Care of Personal Information
Accuracy of personal information
33 An organization must make a reasonable effort to ensure that personal information collected by or on behalf of the organization is accurate and complete, if the personal information,
(a) is likely to be used by the organization to make a decision that affects the individual to whom the personal information relates; or
(b) is likely to be disclosed by the organization to another organization.
Protection of personal information
34 An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
Retention of personal information
35 (1) Despite subsection (2), if an organization uses an individual's personal information to make a decision that directly affects the individual, the organization must retain that information for at least one year after using it so that the individual has a reasonable opportunity to obtain access to it.
Destruction of documents
(2) An organization must destroy its documents containing personal information, or remove the means by which the personal information can be associated with particular individuals, as soon as it is reasonable to assume that,
(a) the purpose for which that personal information was collected is no longer being served by retention of the personal information; and
(b) retention is no longer necessary for legal or business purposes.
Part X
Role of Commissioner
General powers of Commissioner
36 (1) In addition to the Commissioner's powers and duties under Part XI with respect to reviews, the Commissioner is responsible for monitoring how this Act is administered to ensure that its purposes are achieved, and may do any of the following:
1. Whether a complaint is received or not, initiate investigations and audits to ensure compliance with any provision of this Act, if the Commissioner is satisfied there are reasonable grounds to believe that an organization is not complying with this Act.
2. Make an order described in subsection 55 (3), whether or not a review is requested.
3. Inform the public about this Act.
4. Receive comments from the public about the administration of this Act.
5. Engage in or commission research into anything affecting the achievement of the purposes of this Act.
6. Comment on the implications for protection of personal information of programs proposed by organizations.
7. Comment on the implications of automated systems for the protection of personal information.
8. Comment on the implications for protection of personal information of the use or disclosure of personal information held by organizations for document linkage.
9. Authorize the collection of personal information by an organization from sources other than the individual to whom the personal information relates.
10. Bring to the attention of an organization any failure of the organization to meet the obligations established by this Act.
11. Exchange information with any person who, under legislation of another province or of Canada, has powers and duties similar to those of the Commissioner.
12. Enter into information-sharing agreements for the purposes of paragraph 11 and into other agreements with the persons referred to in that paragraph for the purpose of coordinating their activities and providing for mechanisms for handling complaints.
Investigation and resolution of complaints
(2) Without limiting subsection (1), the Commissioner may investigate and attempt to resolve complaints that,
(a) a duty imposed under this Act has not been performed;
(b) an extension of time for responding to a request is not in accordance with section 29;
(c) a fee required by an organization under this Act is not reasonable;
(d) a correction of personal information requested under section 24 has been refused without justification; and
(e) personal information has been collected, used or disclosed by an organization in contravention of this Act.
Advisory committee
37 (1) The Commissioner shall establish an advisory committee to advise him or her on personal information requests made by law enforcement in relation to personal information held by private enterprises.
Composition
(2) The advisory committee shall be composed of five members which shall be appointed by the Commissioner.
Expertise
(3) The Commissioner shall endeavour to ensure that the advisory committee includes experts on law enforcement, privacy law, constitutional law and human rights law.
Chair
(4) The Commissioner shall designate one of the members of the advisory committee as the chair of the committee.
Rules
(5) The advisory committee may make rules governing the conduct and administration of its affairs.
Replacement
(6) If any member of the advisory committee dies, resigns, or cannot perform their duties for any other reason for a period of more than six consecutive months, the Commissioner shall appoint a new member for the board to replace them for the duration of their term.
Power to authorize organization to disregard requests
38 If asked by an organization, the Commissioner may authorize the organization to disregard requests under section 23 or 24 that,
(a) would unreasonably interfere with the operations of the organization because of the repetitious or systematic nature of the requests; or
(b) are frivolous or vexatious.
Powers of Commissioner in conducting investigations, audits or inquiries
39 (1) For the purposes of conducting an investigation or an audit under section 36 or an inquiry under section 53, the Commissioner may make an order requiring a person to do either or both of the following:
1. Attend, in person or by electronic means, before the Commissioner to answer questions on oath or affirmation, or in any other manner.
2. Produce for the Commissioner a document in the custody or under the control of the person, including a document containing personal information.
Application for order
(2) The Commissioner may apply to the Superior Court of Justice for an order,
(a) directing a person to comply with an order made under subsection (1); or
(b) directing any directors and officers of a person to cause the person to comply with an order made under subsection (1).
Powers
(3) The Commissioner may,
(a) examine any information in a document, including personal information, and obtain copies or extracts of documents containing information,
(i) found in any premises entered under clause (b), or
(ii) provided under this Act; and
(b) at any reasonable time, enter any premises, other than a personal residence, occupied by an organization, after satisfying any reasonable security requirements of the organization relating to the premises.
Solicitor-client privilege
(4) If information to which solicitor-client privilege applies is disclosed by a person to the Commissioner at the request of the Commissioner, or obtained by or disclosed to the Commissioner under subsection (1) or clause (3) (a), the solicitor-client privilege is not affected by the way in which the Commissioner has received the information.
Resolution of dispute
(5) The Commissioner may require an individual to attempt to resolve the individual's dispute with an organization in the way directed by the Commissioner before the Commissioner begins or continues a review or investigation under this Act of an applicant's complaint against the organization.
Provision of required document
(6) Despite any other Act or any privilege afforded by the law of evidence, an organization must provide to the Commissioner any document, or a copy of any document, required under subsection (1) or clause (3) (a),
(a) if the Commissioner does not specify a period for the purpose, within 10 business days of the date of the Commissioner's request for the document; or
(b) if the Commissioner specifies a period, within the period specified.
Access
(7) If an organization is required to produce a document under subsection (1) or clause (3) (a) and it is not practicable to make a copy of the document, the organization must provide access for the Commissioner to examine the document at its site.
Return of document
(8) Subject to subsection (9), after completing a review, investigating a complaint, or conducting an audit, the Commissioner must return a document, or a copy of a document, produced by the individual or organization.
Same
(9) On request from an individual or an organization, the Commissioner must return a document, or a copy of a document, produced by the individual or organization within 10 business days of the date on which the Commissioner receives the request.
Maintenance of order at hearings
40 (1) At an oral hearing, the Commissioner may make orders or give directions that he or she considers necessary for the maintenance of order at the hearing, and, if any person disobeys or fails to comply with any order or direction, the Commissioner may call on the assistance of any peace officer to enforce the order or direction.
Powers of police officers
(2) A peace officer called on under subsection (1) may take any action that is necessary to enforce the order or direction and may use such force as is reasonably required for that purpose.
Commissioner's orders
(3) Without limiting subsection (1), the Commissioner, by order, may,
(a) impose restrictions on a person's continued participation in or attendance at a hearing; and
(b) exclude a person from further participation in or attendance at a hearing until the Commissioner orders otherwise.
Contempt proceeding for uncooperative person
41 (1) The failure or refusal of a person subject to an order under section 39 to do any of the following makes the person, on application to the Superior Court of Justice by the Commissioner, liable to be committed for contempt as if in breach of an order or judgment of the court:
1. Attend before the Commissioner.
2. Take an oath or make an affirmation.
3. Answer questions.
4. Produce documents in the person's custody or under their control.
Failure or refusal to comply
(2) The failure or refusal of a person subject to an order or direction under section 40 to comply with the order or direction makes the person, on application to the Superior Court of Justice by the Commissioner, liable to be committed for contempt as if in breach of an order or judgment of the court.
Exceptions
(3) Subsections (1) and (2) do not limit the conduct for which a finding of contempt may be made by the Superior Court of Justice.
Evidence in proceedings
42 (1) The Commissioner and anyone acting for or under the direction of the Commissioner must not give or be compelled to give evidence in a court or in any other proceedings in respect of any information obtained in performing their duties or exercising their powers or functions under this Act, except,
(a) in a prosecution for perjury in respect of sworn testimony;
(b) in a prosecution for an offence under this Act; or
(c) in an application for judicial review or an appeal from a decision with respect to that application.
Exception
(2) Subsection (1) applies also in respect of evidence of the existence of proceedings conducted before the Commissioner.
Protection against libel or slander actions
43 Anything said, any information supplied or any record produced by a person during an investigation or inquiry by the Commissioner is privileged in the same manner as if the investigation or inquiry were a proceeding in a court.
Restrictions on disclosure of information by Commissioner and staff
44 (1) The Commissioner and anyone acting for or under the direction of the Commissioner must not disclose any information obtained in performing their duties or exercising their powers and functions under this Act, except as provided in subsections (2) to (6).
Disclosure
(2) The Commissioner may disclose, or may authorize anyone acting on behalf of or under the direction of the Commissioner to disclose, information that is necessary to,
(a) conduct an investigation, audit or inquiry under this Act; or
(b) establish the grounds for findings and recommendations contained in a report under this Act.
Precautions
(3) In conducting an investigation, audit or inquiry under this Act and in a report under this Act, the Commissioner and anyone acting for or under the direction of the Commissioner must take every reasonable precaution to avoid disclosing and must not disclose,
(a) any personal information an organization would be required or authorized to refuse to disclose if it were contained in personal information requested under section 27; or
(b) whether information exists, if an organization in refusing to provide access does not indicate whether the information exists.
Evidence of offence
(4) The Commissioner may disclose to the Attorney General information relating to the commission of an offence against a statute or regulation of Ontario or Canada if the Commissioner considers there is evidence of an offence.
Prosecution, application or appeal
(5) The Commissioner may disclose, or may authorize anyone acting for or under the direction of the Commissioner to disclose, information in the course of a prosecution, application or appeal referred to in section 42.
Information sharing agreement
(6) The Commissioner may disclose, or may authorize anyone acting for or under the direction of the Commissioner to disclose, information in accordance with an information-sharing agreement entered into under paragraph 12 of subsection 36 (1).
Protection of Commissioner and staff
45 No proceedings lie against the Commissioner, or against a person acting on behalf of or under the direction of the Commissioner, for anything done, reported or said in good faith in the exercise or performance or the intended exercise or performance of a duty, power or function under this Part or Part XI.
Delegation by Commissioner
46 (1) The Commissioner may delegate to any person any duty, power or function of the Commissioner under this Act, except the power to delegate under this section.
Requirements
(2) A delegation under subsection (1) must be in writing and may contain any conditions or restrictions the Commissioner considers appropriate.
Annual report of Commissioner
47 (1) The Commissioner shall report annually to the Speaker of the Legislative Assembly on the work of the Commissioner's office under this Act.
Legislative Assembly
(2) The Speaker shall lay the annual report before the Legislative Assembly as soon as possible.
Part XI
Reviews and Orders
Definitions
48 In this Part:
"complaint" means a complaint referred to in subsection 36 (2); ("plainte")
"inquiry" means an inquiry under section 53; ("enquête")
"request" means a request made in writing to the Commissioner under section 49 to,
(a) resolve a complaint, or
(b) conduct a review; ("demande")
"review" means a review of a decision, act or failure to act of an organization,
(a) respecting access to or the correction of personal information about the individual who requests the review, and
(b) referred to in the request for the review. ("examen")
Asking for a review
49 (1) An individual who has asked an organization for access to or the correction of their personal information may ask the Commissioner to conduct a review of the resulting decision, act or failure to act of the organization.
Complaint
(2) An individual may make a complaint to the Commissioner.
Resolution of dispute
(3) If the Commissioner is satisfied that subsection 39 (5) applies to an individual who has made a request, the Commissioner may defer beginning or adjourn the review to allow an attempt to be made under that subsection to resolve the dispute.
How to ask for a review or make a complaint
50 (1) An individual may ask for a review or make a complaint by delivering a request to the Commissioner.
Same
(2) A request must be delivered within,
(a) 30 business days of the date on which the person making the request is notified of the circumstances on which the request is based; or
(b) a longer period allowed by the Commissioner.
Exception
(3) The time limit in clause (2) (a) does not apply to a request respecting,
(a) a failure by an organization to respond within a required time period established by this Act; or
(b) a complaint.
Notifying others of review
51 (1) On receiving a request for a review, the Commissioner must give a copy of the request to,
(a) the organization concerned; and
(b) any other person that the Commissioner considers appropriate.
Request respecting complaint
(2) The Commissioner may act under subsection (1) on receiving a request respecting a complaint.
Mediation may be authorized
52 The Commissioner may authorize a mediator to investigate and to try to settle the matter on which a request is based.
Inquiry by Commissioner
53 (1) If a matter is not referred to a mediator or is not settled under section 52, the Commissioner may conduct an inquiry and decide all questions of fact and law arising in the course of the inquiry.
May be in private
(2) An inquiry may be conducted in private.
Representations
(3) The individual who makes a request, the organization concerned and any person given a copy of the request must be given an opportunity to make representations to the Commissioner during the inquiry.
Decision
(4) The Commissioner may decide,
(a) whether representations are to be made verbally or in writing; and
(b) whether a person is entitled to be present during, to have access to or to comment on representations made to the Commissioner by another person.
Counsel or agent
(5) The individual who makes a request, the organization concerned and any person given a copy of the request may be represented at the inquiry by counsel or by an agent.
Deadline
(6) If the matter on which a complaint is based is referred under section 52 to a mediator and is not settled by the mediation, the inquiry respecting the complaint must be completed within 30 business days of the day on which the mediation ends.
Same
(7) If a complaint is not referred under section 52 to a mediator and the Commissioner decides to hold an inquiry respecting the review, the inquiry must be completed within 30 business days of the day on which the request is delivered under subsection 50 (1).
Same
(8) An inquiry respecting a review must be completed within 90 business days of the day on which the request is delivered under subsection 49 (1), unless the Commissioner,
(a) specifies a later date; and
(b) notifies the following individuals of the date specified under clause (a):
(i) the individual who made the request,
(ii) the organization concerned,
(iii) any person given a copy of the request.
Adjournment period
(9) The period of an adjournment under subsection 49 (3) must not be included for the purpose of calculating a deadline under subsection (7) or (8) of this section.
Burden of proof
54 (1) Subsection (2) applies to an inquiry into a decision to refuse an individual,
(a) access to all or part of an individual's personal information;
(b) information respecting the use or disclosure of the individual's personal information; or
(c) the names of the sources from which a credit reporting agency received personal information about the individual.
Same
(2) At an inquiry described in subsection (1), it is up to the organization to prove to the satisfaction of the Commissioner that the individual has no right of access to his or her personal information, no right to the information requested respecting the use or disclosure of the individual's personal information or no right to the names of the sources from which a credit reporting agency received personal information about the individual.
Commissioner's orders
55 (1) On completing an inquiry under section 53, the Commissioner must dispose of the issues by making an order under this section.
Same
(2) If the inquiry is into a decision of an organization to give or to refuse to give access to all or part of an individual's personal information, the Commissioner must, by order, do one of the following:
(a) require the organization,
(i) to give the individual access to all or part of his or her personal information under the control of the organization,
(ii) to disclose to the individual the ways in which the personal information has been used,
(iii) to disclose to the individual names of the individuals and organizations to whom the personal information has been disclosed by the organization, or
(iv) if the organization is a credit reporting agency, to disclose to the individual the names of the sources from which it received personal information about the individual, if the Commissioner determines that the organization is not authorized or required to refuse access by the individual to the personal information;
(b) either confirm the decision of the organization or require the organization to reconsider its decision, if the Commissioner determines that the organization is authorized to refuse the individual access to his or her personal information;
(c) require the organization to refuse the individual access to all or part of his or her personal information, if the Commissioner determines that the organization is required to refuse that access.
Other matters
(3) If the inquiry is into a matter not described in subsection (2), the Commissioner may, by order, do one or more of the following:
1. Confirm that a duty imposed under this Act has been performed or require that a duty imposed under this Act be performed.
2. Confirm or reduce the extension of a time limit under section 31.
3. Confirm, excuse or reduce a fee, or order a refund, in the appropriate circumstances.
4. Confirm a decision not to correct personal information or specify how personal information is to be corrected.
5. Require an organization to stop collecting, using or disclosing personal information in contravention of this Act, or confirm a decision of an organization to collect, use or disclose personal information.
6. Require an organization to destroy personal information collected in contravention of this Act.
Terms or conditions
(4) The Commissioner may specify any terms or conditions in an order made under this section.
Copy of order
(5) The Commissioner must give a copy of an order made under this section to all of the following:
1. The individual who made the request.
2. The organization concerned.
3. Any person given notice under section 51.
4. The minister responsible for this Act.
Duty to comply with orders
56 (1) Not later than 30 business days after being given a copy of an order of the Commissioner, the organization concerned must comply with the order unless an application for judicial review of the order is brought before that period ends.
Brought before end of period
(2) If an application for judicial review is brought before the end of the period referred to in subsection (1), the order of the Commissioner is stayed from the date the application is brought until a court orders otherwise.
Part XII
General Provisions
Protection
57 An organization must not dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee of the organization, or deny that employee a benefit, because
(a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that the organization or any other person has contravened or is about to contravene this Act;
(b) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act;
(c) the employee, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of this Act; or
(d) the organization believes that an employee will do anything described in clause (a), (b) or (c).
Non-retaliation
58 A person who has reasonable grounds to believe that an organization has contravened or is about to contravene a provision of this Act or the regulations and who, in good faith, notifies the Commissioner of the particulars of the matter, whether or not the person makes a complaint under subsection 49 (2), may request that the Commissioner keep the person's identity confidential with respect to the notification.
Offences and penalties
59 (1) Subject to subsection (2), an organization or person commits an offence if the organization or person,
(a) uses deception or coercion to collect personal information in contravention of this Act;
(b) disposes of personal information with an intent to evade a request for access to the personal information;
(c) obstructs the Commissioner or an authorized delegate of the Commissioner in the performance of his or her duties or powers under this Act;
(d) knowingly makes a false statement to the Commissioner, or knowingly misleads or attempts to mislead the Commissioner, in the course of the Commissioner's performance of his or her duties or powers under this Act;
(e) contravenes section 57; or
(f) fails to comply with an order made by the Commissioner under this Act.
Liability
(2) An organization or person that commits an offence under subsection (1) is liable,
(a) if an individual, to a fine of not more than $10,000; and
(b) if a person other than an individual, to a fine of not more than $100,000.
Compliance with requirements
(3) A person or organization is not liable to prosecution for an offence against this or any other Act because the person or organization complies with a requirement of the Commissioner under this Act.
Damages for breach of Act
60 (1) If the Commissioner has made an order under this Act against an organization and the order has become final as a result of there being no further right of appeal, an individual affected by the order has a cause of action against the organization for damages for actual harm that the individual has suffered as a result of the breach by the organization of obligations under this Act.
Offence
(2) If an organization has been convicted of an offence under this Act and the conviction has become final as a result of there being no further right of appeal, a person affected by the conduct that gave rise to the offence has a cause of action against the organization convicted of the offence for damages for actual harm that the person has suffered as a result of the conduct.
Regulations
61 (1) The Lieutenant Governor in Council may make regulations,
(a) prescribing procedures to be followed in making and responding to requests under this Act;
(b) permitting prescribed categories of applicants to make requests under this Act orally instead of in writing;
(c) authorizing the disclosure of personal information relating to the mental or physical health of individuals to medical or other experts to determine, for the purposes of section 23, if disclosure of that information could reasonably be expected to result in grave and immediate harm to the safety of or the mental or physical health of those individuals;
(d) prescribing procedures to be followed or restrictions considered necessary with respect to the disclosure and examination of information referred to in clause (c);
(e) prescribing special procedures for giving individuals access to personal information about their mental or physical health;
(f) prescribing the classes of individuals who may act for minors, incompetents, deceased persons or any other individuals under this Act and regulating the manner in which, and the extent to which, any rights or powers of individuals under this Act may be exercised on their behalf;
(g) respecting fees, including circumstances in which fees,
(i) are not payable, or
(ii) must not be above a prescribed amount or percentage;
(h) prescribing any matter that this Act requires to be prescribed or refers to as being prescribed;
(i) for any other purpose contemplated by this Act.
Categories
(2) A regulation under clause (1) (c) may,
(a) specify categories of experts to whom personal information relating to the mental or physical health of individuals may be disclosed to assess whether its disclosure to other persons could reasonably be expected to result in grave and immediate harm to the safety of or the mental or physical health of those individuals;
(b) impose on members of a category of experts obligations respecting the use and disclosure of personal information obtained to make an assessment described in clause (a); or
(c) provide differently for different categories of experts.
Review of Act
Three years
62 (1) Within three years after January 1, 2019, a special committee of the Legislative Assembly must begin a comprehensive review of this Act and must submit a report respecting this Act to the Legislative Assembly within one year after the date of the appointment of the special committee.
Six years
(2) At least once every six years, a special committee of the Legislative Assembly must act as described in subsection (1).
Recommendations
(3) A report submitted under subsection (1) or (2) may include any recommended amendments to this Act or any other Act.
Beginning of period
(4) For the purposes of subsection (2), the first six year period begins on the submission of the report under subsection (1) to the Legislative Assembly.
Commencement
63 This Act comes into force three months after the day it receives Royal Assent.
Short title
64 The short title of this Act is Personal Information Protection Act, 2018.