CREA Privacy Tool Kit

Transcription

USING YOUR PRIVACY TOOLKIT FOR REALTORS
Your PRIVACY TOOLKIT for REALTORS is based on the Adobe Acrobat Reader application which
includes complete documentation in an accessible PDF-based help system. The help system includes
information on all the Acrobat Reader tools, commands, and features for both Windows and Mac OS
systems. The PDF format is designed to provide easy navigation and can also be printed out.
For your convenience, we have outlined a few of the most commonly-used features:
Using bookmarks
The contents of your PRIVACY TOOLKIT are shown as bookmarks in the Bookmark pane (to the left
of your screen). To view subtopics, click the plus sign (Windows users) or arrow symbol (Mac users)
next to a topic. The topic will be expanded to show the subtopics it contains. Each bookmark is a
hyperlink to the associated section of the document. To view the contents, click the bookmark. As you
view the contents in the document pane, the bookmark associated with that content will be highlighted
in the bookmark pane to help you easily identify where you are in the document.
Using the navigation arrows
Navigation arrows are provided at both the top and bottom of the Reader frame to help you move easily
back and forth between pages.
Top Navigation
Bottom Navigation
Clicking the “left arrow” will take you to last page you viewed. Clicking the “right arrow” will take
you to the next page. You can also page through the document using the navigation options available
under the “Document” menu.
To find a topic using the find command:
1. Choose Edit > Find.
2. Enter a word or a phrase in the text box, and click OK.
3. Reader will search the document, starting from the current page, and display the first occurrence of
the word or phrase you are searching for.
4. To find the next occurrence, choose Edit > Find Again.
World Wide Web hyperlinks
The PRIVACY TOOLKIT has been setup with easy access to web pages. Any BLUE-COLOURED
type can be clicked upon and it will immediately link you to the associated web page.
Printing the document
Although PRIVACY TOOLKIT has been optimized for on-screen viewing, you can print out the
document or portions of the document. To print, choose Print from the File menu, or click the printer
icon in the Reader toolbar.
Other help resources
For more information about your version of Acrobat Reader, please visit: http://www.adobe.com/acrobat/
PRIVACY TOOLKIT
for REALTORS
Your guide to CREA’s
Privacy Code
CREA
THE CANADIAN REAL ESTATE ASSOCIATION
TABLE OF CONTENTS
I. INTRODUCTION
• Background
• The Personal Information Protection and Electronic Documents Act
• The Ten Principles of Privacy
• The Privacy Code of The Canadian Real Estate Association
II. YOUR
•
•
•
•
•
TOOLS – WHAT YOU NEED AND WHY
The Privacy Code
Sample Office Policies For Realty Firms
Sample Office Policies For Boards/Associations
“Making Privacy Work in Your Office” (Implementation Guidelines)
Privacy Brochure
III. FREQUENTLY ASKED QUESTIONS
IV. BROKERS/OWNERS/MANAGERS – WHAT YOU NEED TO KNOW
V. SALESPERSONS – DO’S AND DON’T’S
VI. RESOURCES
1. REFERENCE MATERIALS
• The Personal Information Protection and Electronic Documents Act (2001)
• Your Privacy Rights: A Guide For Canadians (a publication of the Office
of the Privacy Commissioner of Canada)
• Your Privacy Responsibilities: A Guide For Businesses and Organizations
(a publication of the Office of the Privacy Commissioner of Canada)
2. USEFUL LINKS
3. CONTACT INFORMATION FOR
PROVINCIAL/TERRITORIALPRIVACY COMMISSIONERS
ALL OF THE MATERIALS IN THIS CD-ROM AND ANY PRIVACY UPDATES WILL BE
POSTED ON REALTOR Link™ (http://www.realtorlink.ca). PLEASE CHECK THAT SITE
ON A REGULAR BASIS TO FIND OUT WHAT’S NEW IN PRIVACY.
PRIVACY TOOLKIT
for REALTORS
Introduction
CREA
INTRODUCTION
“…I have yet to meet one person, in public or private life, who has not
professed great belief in the right to privacy. But I have witnessed some of
those same persons engaged in activities utterly destructive of that right.
Talking the talk is no substitute for walking the walk.”
-Bruce Phillips, Privacy Commissioner of Canada
1999-2000 Annual Report
“Civilization is the progress of society toward privacy. The savage’s
whole existence is public, ruled by the laws of the tribe. Civilization
is the process of setting man free from man.”
-Ayn Rand, author, 1943
1. Background
Privacy is considered by many to be an ethereal concept – an idea or philosophy that has an idealistic
sound to it, but no practical application. This thinking is not only wrong, it is dangerously wrong in
this day and age.
Privacy touches every aspect of our day to day routine and should be a serious concern to all of us who
are living in a world which is increasingly becoming an informational fishbowl.
A groundswell of concern has been growing for decades. Too often, organizations have treated your
information as their own. Too often, consumer data has found itself in places it didn’t belong –in the
hands of persons who were not authorized by the consumer himself to hold it. Privacy has been treated
as a luxury accorded only to a select few.
Those days are now gone, and every businessperson, including every REALTOR, must adapt to the
new reality. As of January 1, 2001, privacy was officially recognized not as a privilege, but as a
fundamental human right of every citizen in Canada.
2. The Personal Information Protection and
Electronic Documents Act (PIPEDA)
On January 1, 2001, the new federal privacy legislation came into limited effect. The Personal
Information Protection and Electronic Documents Act (PIPEDA) provides, in essence, that no personal
information of consumers will be collected, used or disclosed by businesses without the informed
consent of the individual. As of January 1, 2001, the Act applies only to federally regulated businesses
and many others who send data across provincial and international borders. On January 1, 2004, it will
apply to all commercial enterprises, unless provinces have enacted similar laws.
INTRODUCTION
This legislation was a necessary reaction to a series of concerns – the threat of the European Union
Data Directive which would prohibit all transfer of data to non-EU countries that did not have adequate
privacy protection; rising consumer concerns about privacy, and in particular, the serious erosion of
public confidence in e-commerce.
PIPEDA does not establish exact rules concerning privacy. Rather, it sets out principles intended to
limit data collection and disclosure to “purposes that a reasonable person would consider appropriate
in the circumstances”.
3. The Ten Principles of Privacy
PIPEDA establishes ten privacy principles that must be incorporated into information collection practices.
The principles fall generally into two categories –the substantive principles – those which give substance
to the concept of consent (identifying purposes, consent, limiting collection, limiting disclosure) and
the administrative principles –those which deal with the day-to-day operations of organizations
(accountability, accuracy, safeguards, openness, individual access and challenging compliance).
These ten principles, when taken together, form the key business obligations and the key consumer
rights of privacy. They create the structure of what has become known as “fair information practices”.
PIPEDA is pro-active in nature, in that it requires all affected organizations to develop policies and
procedures which give life to the ten principles. That means that every realty office and every board
office must establish office policies which comply with PIPEDA.
While organizations may agree with the concept of privacy protection, many have no idea how to put
it into practice in their own offices. It is for this reason that CREA has developed the tools to enable
our member offices to comply with the law and provide their clients with the assurances that their
personal information is being protected.
4. CREA’s Privacy Code
Privacy is a vital issue to the people on the street. They don’t ask that their information be protected.
They demand it. And they demand that businesses which collect their information do so in a responsible
and professional fashion. These people are starting to say more and more frequently to businesses –
“what are your privacy policies?” And we, as a responsible industry, are now able to say to these
people – “here they are.”
The real estate industry demonstrated its commitment to privacy when the membership of CREA approved
a Privacy Code as its national standard at the annual meeting held in Montreal in October of 2001.
CREA’s Privacy Code is the declaration of organized real estate to the public that we respect the
privacy rights of individuals and have adopted policies and procedures to protect those rights.
INTRODUCTION
What the Privacy Code does in its simplest sense, is set national guidelines. It establishes uniform
standards which can be applied in a consistent manner across the country. It provides a practical
document by which REALTORS and REALTOR organizations can gauge their conduct.
The Privacy Code takes the requirements of PIPEDA and translates them into processes which makes
sense in terms of the real-life information collection practices of our membership.
The Privacy Code is now the national privacy standard of organized real estate, and all members have
agreed to abide by those standards.
Everyone is therefore encouraged to familiarize themselves with the provisions of the Code.
PRIVACY TOOLKIT
for REALTORS
Your tools...
what you need
and why
CREA
YOUR TOOLS
Education, of course, is fundamental to understanding and implementing a policy such as this. To that
end, CREA has been presenting privacy seminars across the country, which have been attended by
thousands of members. Educational initiatives will continue.
However, the primary purpose of this particular CD-ROM is not education. The contents of this disc
are intended to provide our members with the practical tools they need to implement privacy procedures
in their offices and to abide by the new law and the Privacy Code. All of the work in developing these
documents has been done for you. Your challenge now is to become familiar with them and incorporate
them into your practice.
The tools in this package include:
The Privacy Code
The Code is based, as it must be, on the ten principles set out in PIPEDA. Following each heading,
there is a statement of the principle, expressing the position of organized real estate. Each statement is
then followed by a series of examples, explanations, interpretations or suggested procedures.
The Privacy Code, being the expression in general terms of the commitment of organized real estate to
privacy, should be the starting point in your review. It will give you the overview of how privacy is
applied to the practice of real estate.
The ten principles are summarized on a separate sheet in the Code. You can download those principles
and create frameable copies for your office wall. All REALTORS should be provided with copies of
the Code.
Office Policies
This CD-ROM includes office policy templates for both realty firms and real estate boards. The
purpose of the office policy is to give life to the principles of the Privacy Code by applying those
concepts to the actual operation of the office. As the law requires that all offices develop policies
which comply with PIPEDA, these documents are essential tools for all REALTOR organizations.
There is no such thing as a one-size-fits-all office policy. A process that works well in a large office
may not be appropriate for a small one. The wording of these template policies is, therefore, only
suggested wording. The important thing is that the wording of any particular office policy reflect the
principles of the Code. Both of these documents should be read together. Please remember that while
the specific wording can be tailored to your operation, it is nevertheless absolutely essential that all
office policies be amended to incorporate the privacy principles.
It is strongly suggested that the owners/managers of realty firms sit down with the staff and salespersons
and discuss what terms their privacy policies should reflect. Not only will this ensure workable policies,
the very process of developing them will help educate those who are involved.
YOUR TOOLS
Making Privacy Work in Your Office (Implementation Guidelines)
Use this guideline to help develop your office policies. Think of it as your user’s manual to the Privacy
Code and the office policies. The guidelines discuss in simple language how the ten principles apply to
your office operation, what is meant by the terms in the sample office policies and why you need to
take certain precautions. This is your annotated guide to the development of policies. It will walk you
through the process and explain what you are doing, why you are doing it, and what you hope to
accomplish at the end of the road.
This is an invaluable tool in the development process. Read it before you begin, and ensure all of the
people in the office have a copy.
Brochure
Both PIPEDA and the Privacy Code require that offices make available to consumers their privacy
policies. The most effective way of doing this is to give your clients brochures which summarize the
principles of privacy you bring to the relationship.
CREA has developed a brochure for this purpose, which can be found on this CD-ROM. Again, the
wording is not mandatory, but has been developed to comply with the law. As with the office policies,
you are free to revise the brochure to better reflect your own procedures.
Space has been left on the brochure for the realty office to put its own name and the privacy contact
within the office.
The brochure can be downloaded so that copies may be left in the waiting room of the office and/or
given to clients.
Resource Materials
We have included a number of useful reference materials and links. PIPEDA itself is on this disc, for
those who are interested in a more in-depth review of the law. Two extremely informative guides
issued by the Privacy Commissioner of Canada – one for companies and the other for individuals- are
also included. There are countless web sites devoted to privacy, both in Canada and the United States.
A few are set out here. We’ve also added the contact information for all of the provincial privacy
commissioners.
PRIVACY TOOLKIT for REALTORS
Privacy Code
of The Canadian
Real Estate
Association
CREA
THE CREA PRIVACY CODE
I.
INTRODUCTION
In the usual course of real estate transactions, REALTORS and REALTOR organizations often
require significant amounts of detailed information about identifiable individuals and companies. Most of this information is considered private under general community standards. The
dissemination of information about an individual is not necessarily bad, indeed it is often vital
in the conduct of business, but the indiscriminate dissemination of information, even if unintentional, may lead to the loss of privacy of an individual. Buyers and sellers therefore expect
that the real estate organizations entrusted with this information will take positive steps to
protect it.
In recognition of this fact, the members of The Canadian Real Estate Association must adhere
closely to strict rules governing the protection of this information.
The Privacy Code, which applies to all member provincial/territorial associations, real estate
boards, brokerage firms, brokers and salespersons, is made up of a set of principles which, if
followed, sets in place a solid foundation within which the REALTOR community can protect
its customers, clients, and the general public.
The Privacy Code sets a minimum standard. To give life to the principles in this Code, detailed
procedures concerning the collection, storage, and distribution of personal information are required to be developed by all REALTOR organizations.
The Canadian Real Estate Association will review this Code at least every two years to ensure
it is relevant and up-to-date.
II.
SUMMARY OF PRINCIPLES
PRINCIPLE 1 –
PRINCIPLE 6 –
ACCOUNTABILITY
ACCURACY OF PERSONAL INFORMATION
Members are responsible for the proper
management of all personal information under
their control, and shall designate one or more
persons to be accountable for compliance.
Members shall keep personal information as
accurate, complete, current and relevant as
necessary for its identified purpose.
PRINCIPLE 7 –
PRINCIPLE 2 –
IDENTIFYING THE PURPOSES
OF PERSONAL INFORMATION
Members shall identify the purposes of collecting
information before or at the time the information
is collected.
PROTECTING INFORMATION
Members shall protect personal information with
safeguards appropriate to the sensitivity of the
information.
PRINCIPLE 8 –
PRINCIPLE 3 –
OPENNESS CONCERNING
POLICIES AND PRACTICES
OBTAINING CONSENT
The knowledge and consent of the consumer are
required for the collection, use or disclosure of
personal information except where inappropriate.
Members shall make readily available to
consumers specific information about their
policies and practices relating to the management
of personal information.
PRINCIPLE 4 –
PRINCIPLE 9 –
LIMITING COLLECTION OF PERSONAL INFORMATION
Members shall limit the collection of personal
information to that which is necessary for the
purposes identified.
CONSUMER ACCESS TO
PERSONAL INFORMATION
Upon request, members shall inform a consumer
of the existence, use and disclosure of his or her
personal information and shall give the
individual access to that information.
PRINCIPLE 5 –
LIMITING USE, DISCLOSURE AND
RETENTION OF PERSONAL INFORMATION
Members shall use or disclose personal
information only for the reason it was collected,
except with the consent of the consumer or as
required by law.
PRINCIPLE 10 –
CHALLENGING COMPLIANCE
A consumer shall be able to address a challenge
concerning compliance with the above principles
to the designated accountable person or persons
in the member office.
III.
DEFINITIONS
Collection:
The act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.
Consent:
Voluntary agreement with the collection, use and disclosure of personal
information for defined purposes. Consent can be either express or implied and can be provided directly by the individual or by an authorized
representative. Express consent can be given orally, electronically or in
writing. Implied consent is consent that can reasonably be inferred from
an individual’s action or inaction.
Consumer:
Any individual or company who consults with or retains in any way the
services of a REALTOR, a brokerage or a real estate board or association. A consumer includes both customers and clients.
Disclosure:
Making personal information available outside the member organization.
Member:
Includes Provincial/Territorial associations, real estate boards, real estate brokerage forms, brokers and salespersons as the context requires.
Personal Information: Means information about an identifiable individual but does not include:
1.the name, title or business address or telephone number of an employee of an organization;
2. aggregated information that cannot be associated with a specific individual.
Reasonable:
The standard of conduct which would be expected by a reasonable consumer of real estate services in all of the circumstances.
Third Party:
An individual or organization other than the member itself.
Use:
The management of personal information by and within the member
organization.
IV.
THE CREA PRIVACY CODE IN DETAIL
PRINCIPLE 1 – ACCOUNTABILITY
Members are responsible for the proper management of all personal information under their
control, and shall designate one or more persons to be accountable for compliance.
1.1
The accountability for the protection of personal information rests with the individual REALTOR
for information under his or her control. In the case of Boards/Associations, this refers to the
Executive Officer. In the case of brokerages, it refers to the individual designated to be
responsible for the brokerage under the provincial licensing legislation.
1.2
The accountable person may delegate the day-to-day procedures of compliance to one or more
persons.
1.3
Because of the real cost to organizations of breaches of security and privacy, the designated
individual should have an in-depth knowledge of the Privacy Code and should play a part in
developing the procedures and ensuring staff conforms to the privacy policies.
1.4
The identity of the designated person will be made known upon request.
1.5
Members are responsible for personal information in their custody, including information
transferred to third parties for processing. Each member should use contractual or other means
to provide a comparable level of protection in those circumstances.
1.6
Every member shall implement policies and procedures to give effect to this Privacy Code
including:
• establishing procedures to protect the privacy of personal information;
• training and communicating to staff about the organization’s policies and procedures;
• establishing procedures to receive and respond to complaints;
• developing public information to explain the member’s policies and practices
PRINCIPLE 2 – IDENTIFYING THE PURPOSES OF PERSONAL INFORMATION
Members shall identify the purposes of collecting information before or at the time the information
is collected.
2.1
Personal information of sellers is used both by the listing brokerage for marketing purposes
and the board for purposes relating to the operation of its MLS® system. Both organizations
must ensure they have obtained the necessary consents from the consumer.
2.2
Listing agreements must set out all of the potential uses the information will be put to by the
board including distributing it to members through the MLS® system, retaining the data
indefinitely and publishing it for statistical analysis or otherwise, advertising in board publications,
placing the information on the Internet and any other uses the board may make of the data.
Listing agreements must disclose all classes of potential recipients of information including
any non-member individuals or organizations who are allowed some form of access to MLS®
information.
2.3
2.4
REALTORS must advise buyers and sellers the use that will be made by their brokerage of the
information collected. This disclosure must be documented in the listing or buyer agency
agreement or in some other document.
2.5
The collection of personal information shall be limited to that which is necessary for the purpose
identified in 2.2 and 2.4.
PRINCIPLE 3 – OBTAINING CONSENT
The knowledge and consent of the consumer are required for the collection, use or disclosure of
personal information except where inappropriate.
3.1
Each member will make all reasonable efforts to ensure consumers understand how personal
information will be used and disclosed by the organization.
3.2
Consent can be expressed orally (when information is collected over the telephone), in writing
or electronically. The signing by a consumer of a representation agreement containing the
disclosures set out under Principle 2 shall be considered written consent for those identified
purposes.
3.3
Generally, the member will seek consent to use and disclose personal information at the time it
collects it. However, that consent may be sought after the information has been collected, but
before it is used or disclosed for a new purpose.
3.4
Express consent should be obtained whenever practical. However, consent may be implied for
the collection, use and disclosure of personal information in accordance with the known
expectations of a particular individual or in terms of what a reasonable person in similar
circumstances would likely believe necessary, or where express consent is not practical and
where the information would not, in the circumstances, be considered sensitive.
3.5
Consent may be given by a consumer, where appropriate, through an authorized representative
such as a person with a power of attorney.
3.6
An individual may withdraw consent at any time subject to legal or contractual restrictions and
reasonable notice. The organization shall inform the consumer of the implications of such
withdrawal.
3.7
Members shall not refuse to represent a consumer for the reason only that the consumer has
refused to provide consent for the collection or use of certain information unless that information
is required to properly represent the consumer.
3.8
Consent to the collection, use or disclosure of personal information is not required in those
circumstances set out in section 7 of the Personal Information Protection and Electronic
Documents Act. Members may develop policies specifically dealing with these circumstances.
PRINCIPLE 4 – LIMITING COLLECTION OF PERSONAL INFORMATION
Members shall limit the collection of personal information to that which is necessary for the
purposes identified.
4.1
Members shall collect from buyers and sellers only the amount and type of information needed
for the purposes identified to them.
4.2
Members may also collect personal information from other sources including credit bureaus,
public bodies, government agencies and other third parties who represent that they have the
right to disclose the information.
4.3
All personal information shall be collected by fair and lawful means.
PRINCIPLE 5 – LIMITING USE, DISCLOSURE AND RETENTION OF PERSONAL
INFORMATION
Members shall use or disclose personal information only for the reason it was collected, except
with the consent of the consumer or as required by law.
5.1
Personal information will not be disclosed except as is necessary and reasonable to facilitate
the real estate transaction unless the written consent of the individual for the extended disclosure
is obtained or such disclosure is required by law.
5.2
Buyers and sellers must be informed that the member may be required, as a result of his/her
agency obligations, to disclose personal information to other clients in the case of dual agency
or where the individual providing the information is a customer and not a client.
5.3
Members shall keep personal information only as long as it remains necessary or relevant for
the purposes identified or as required by law.
5.4
Members shall destroy any personal information no longer needed for its identified purposes or
for legal requirements.
5.5
Information which has been aggregated so as to make it anonymous (eg. housing statistics) is
not considered personal information.
PRINCIPLE 6 – ACCURACY OF PERSONAL INFORMATION
Members shall keep personal information as accurate, complete, current and relevant as necessary
for its identified purpose.
6.1
6.2
All reasonable efforts must be made to protect the integrity of the personal information by ensuring that it is relevant and as accurate and complete as possible to minimize the possibility that
inappropriate or inaccurate information may be used to make a decision about the consumer.
Personal information will only be updated if it is necessary for the purposes for which it was
collected or if revisions are requested by the consumer.
PRINCIPLE 7 – PROTECTING INFORMATION
Members shall protect personal information with safeguards appropriate to the sensitivity of the
information.
7.1
Personal information is considered confidential and due diligence must be exercised to ensure
it is not stolen, lost, accessed, copied, used or modified without permission.
7.2
Members shall ensure that all employees and other persons acting on their behalf who have
access to such data are required to conform to privacy guidelines.
7.3
The steps taken by Boards/Associations and brokerages to protect personal information in its
possession should include, where appropriate
(a) physical measures, such as locked filing cabinets and restricted access to offices;
(b) technological measures, such as the use of computer passwords and encryption;
(c) organizational measures such as limiting access on a “need-to-know” basis and educating
employees and salespersons on the privacy guidelines and procedures.
7.4
Members must establish and implement reasonable record retention and destruction policies
consistent with the nature and need for the information and legislative requirements.
PRINCIPLE 8 – OPENNESS CONCERNING POLICIES AND PRACTICES
Members shall make readily available to consumers specific information about their policies
and practices relating to the management of personal information.
8.1
Information regarding a member’s policies and procedures must be easy to understand, readily
available, and will allow consumers to determine:
•
•
•
8.2
the title and office address of the person accountable for the member’s compliance with the
Privacy Code, and to whom inquiries or complaints can be forwarded;
the means of gaining access to the personal information held by the member;
what type of personal information is in the member’s control and what it is used for.
The information described in 8.1 may be made available in a number of ways including brochures,
mail information or on-line access.
PRINCIPLE 9 – CONSUMER ACCESS TO PERSONAL INFORMATION
Upon request, members shall inform a consumer of the existence, use and disclosure of his or her
personal information and shall give the individual access to that information. The consumer
shall be able to challenge the accuracy and completeness of the information and have it amended
as appropriate.
9.1
Members shall, on request, inform consumers whether they hold personal information on them.
Real estate boards, provincial/territorial associations and brokerages shall develop policies and
procedures to allow consumers access to their personal information.
9.2
Policies regarding access to information by the public should be based on openness and ease of
use. A sample procedure is as follows:
(a) One individual in the organization is designated as the person responsible for responding
to access requests;
(b) On written request and appropriate identification satisfactory to the organization, an
individual will be advised of personal information about him/her retained in the
organization’s records;
(c) Where information cannot be disclosed (for example the information contains reference to
other individuals or is subject to solicitor-client privilege) the individual will be given
reasons for non-disclosure;
(d) An individual may correct erroneous or incomplete information and the organization will
amend that information;
The information will be supplied at minimal or no cost to the consumer.
PRINCIPLE 10 – CHALLENGING COMPLIANCE
A consumer shall be able to address a challenge concerning compliance with the above principles
to the designated accountable person or persons in the member office.
10.1
An individual must be able to put forward a complaint that the principles of this Code h a v e
not been adhered to;
10.2
Individuals dissatisfied with the internal complaint resolution of an organization will be advised
of the avenues available to direct their complaint, including the office of the Privacy
Commissioner of Canada or, if applicable, the appropriate provincial privacy commissioner.
Office
Policies for
Realty Firms
CREA
OFFICE POLICIES – REALTY FIRMS
1. The Privacy Code of The Canadian Real Estate Association
This office is a member of The Canadian Real Estate Association (CREA) and adheres to and abides by
the principles set out in the CREA Privacy Code. All employees and sales representatives associated
with this office must sign an acknowledgement that they will comply with the requirements of the Code.
2. The Policy Statement
This office only collects personal information necessary to effectively market and sell the property of
sellers, to locate, assess and qualify properties for buyers and to otherwise provide professional and
competent real estate services to clients and customers.
3. The Person In Charge
____________________ (person/position) is the privacy compliance officer responsible for privacy
compliance in this office. His/her name shall be made available to consumers. The responsibilities of
the privacy compliance officer shall include:
(a) establish and update information protection policies;
(b) ensure policies are implemented by other organizations to which data-processing functions
are outsourced;
(c) establish criteria for classification of information;
(d) evaluate the accessibility of sensitive information and take corrective action where necessary;
(e) provide education to employees on the importance of information protection;
(f) attempt to resolve consumer privacy complaints to the satisfaction of the consumer.
4. The Collection, Use and Disclosure of Personal Information
(a) Only the information necessary to facilitate the real estate transaction or otherwise provide
professional and competent service to clients and customers will be collected;
(b) No personal information shall be collected from an individual without first obtaining the
consent of the individual to the collection, use and dissemination of that information;
(c) Express consent (whether oral or written) must always be obtained except in the following
situation. Consent may be implied where the information is not sensitive and where it can
be reasonably assumed that the individual would expect the information to be disclosed in
this fashion;
(d) Once information is collected, it will be used and disclosed only for the purposes disclosed
to the individual;
(e) All representation agreements must include the approved privacy clauses.
5. Disclosure for New Purpose
(a) Anyone using personal information for some new purpose that extends beyond the consent
already provided must obtain the express consent of the person for that use;
(b) Requests for information by law enforcement officials, lawyers, private investigators or
other agents or subpoenas for documents issued by the court must be referred to the (privacy
officer/office manager or broker/agent as appropriate).
6. Protecting Information
Information must be protected in a manner commensurate with its sensitivity, value and criticality.
This policy applies regardless of the media on which information is stored, the locations where the
information is stored, the systems used to process the information, or the processes by which information
is handled.
(a) Collection and Disclosure
(i) Meetings with customers and clients on these premises must take place in a place and
manner to ensure confidentiality;
(ii) Mail and faxes must be routed directly to the intended recipient;
(iii) Information should be available to other persons in the office only on a need-toknow basis.
(b) Storage
(i) Filing cabinets designated by the office manager to contain personal, including sensitive, information are to be kept secured at all times;
(ii) All personnel have computer passwords. These passwords are confidential and are
not to be shared with any unauthorized persons.
(c) Destruction
(i) This office has in place a record retention and destruction policy. Refer to that portion of the policy manual for details.
7. Accuracy of Personal Information
To ensure the quality of the information collected:
(a) insofar as possible, personal information should be collected directly from the consumer;
(b) public property information (taxes, assessment data etc.) should be verified;
(c) disclaimers of accuracy in the form approved by the office should always be attached to
any disclosure of information.
8. Access to Personal Information
(a) Copies of any privacy brochure approved by this office should always be available to the
public in the reception area of the office;
(b) The individual set out in Section 3 as being responsible for privacy compliance is the
person responsible for responding to access requests and all such requests will be referred
to him or her. All staff and salespersons will co-operate fully with the privacy compliance
officer in responding to requests;
(c) On written request and appropriate identification satisfactory to the organization, an
individual will be advised of personal information about him/her retained in the firm’s
records;
(d) Where information cannot be disclosed (for example the information contains reference to
(e) An individual may have appended to a record, any alternative information where the office
is of the view that the appended information is, in fact, correct;
(f) A minimal administrative fee may be charged to supply the information.
9. Compliance
(a) Any complaints from an individual concerning the collection, use or disclosure of their
personal information or concerning the individual’s ability to access their personal
information must be referred to the privacy compliance officer, who will attempt to resolve
the complaint to the individual’s satisfaction;
(b) In the event the complaint cannot be resolved internally to the individual’s satisfaction, he
or she will be advised of where to direct the complaint.
Office
Policies for
Boards &
Associations
CREA
OFFICE POLICIES – BOARDS & ASSOCIATIONS
1. The Privacy Code of The Canadian Real Estate Association
This board is a member of The Canadian Real Estate Association (CREA) and adheres to and abides by
the principles set out in the CREA Privacy Code. All employees and sales representatives associated
with this board must sign an acknowledgement that they will comply with the requirements of the Code.
2. The Policy Statement
The ____________________ Real Estate Board only collects personal information:
(a) About member REALTORS necessary to process membership, collect dues, operate the
MLS® system, enforce its By-laws and generally effectively administer the board;
(b) About buyers, sellers and properties provided by member REALTORS in the course of the
operation of an MLS® system.
3. The Person In Charge
____________________ is the person/position responsible for privacy compliance in this board. His/
her name shall be made available to consumers. The responsibilities of the privacy compliance officer
shall include:
(b) ensure policies are implemented by other boards to which data-processing functions are
outsourced;
(d) evaluate the accessibility of sensitive information and take corrective action where necessary;
(f) attempt to resolve consumer and member privacy complaints to the satisfaction of the
individual.
4. The Collection, Use and Disclosure of Personal Information
(a) No personal information shall be collected from an individual without first obtaining the
consent of the individual to the collection, use and dissemination of that information;
(b) Express consent (whether oral or written) must always be obtained except in the following
situation. Consent may be implied where the information is not sensitive and where it can
be reasonably assumed that the individual would expect the information to be disclosed in
this fashion;
(c) Once information is collected, it will be used and disclosed only for the purposes disclosed
to the individual;
(d) Standard form listing agreements and/or buyer agency agreements prepared by the board
for use by members shall contain the clauses approved by the directors by which the seller/
buyer authorizes the collection, use and disclosure of personal information.
5. Disclosure for New Purpose
(a) Anyone using personal information for some new purpose that extends beyond the consent
already provided must obtain the express consent of the person for that use;
(b) Requests for information by law enforcement officials, lawyers, private investigators or
other agents or subpoenas for documents issued by the court must be referred to the
executive officer.
6. Protecting Information
Information must be protected in a manner commensurate with its sensitivity, value and criticality. This
policy applies regardless of the media on which information is stored, the locations where the information
is stored, the systems used to process the information, or the processes by which information is handled.
(a) Collection and Disclosure
(i) Meetings with REALTORS or members of the public must take place in a place and
manner to ensure confidentiality;
(ii) Mail and faxes must be routed directly to the intended recipient;
(iii) Information should be available to other persons in the board only on a need-to-know
basis.
(b) Storage
(i) Filing cabinets designated by the board manager to contain personal, including sensitive, information are to be kept secured at all times;
(ii) All personnel have computer passwords. These passwords are confidential and are
not to be shared with any unauthorized persons.
(c) Destruction
(i) This board has in place a record retention and destruction policy. Refer to that portion of the policy manual for details.
7. Accuracy of and Access to Personal Information
To ensure the quality of the information collected:
(a) Insofar as possible, personal information about member REALTORS should be collected
directly from the consumer;
(b) Listing information should be collected directly from the listing broker/salesperson; public
property information (taxes, assessment data etc.) collected directly by a real estate board
from a public source should be verified with that source. Public property information
provided by a REALTOR should be verified by the REALTOR;
(c) Disclaimers of accuracy should always be attached to any disclosure of information and on
all MLS® data.
8. Access to Personal Information
(a) Copies of any privacy brochure approved by this board should always be available to the
public in the reception area of the board;
(b) The individual set out in Section 3 as being responsible for privacy compliance is the
person responsible for responding to access requests and all such requests will be referred
to him or her. All staff persons will co-operate fully with the privacy compliance officer in
responding to requests;
(c) On written request and appropriate identification satisfactory to the board, an individual
will be advised of personal information about him/her retained in the board’s records;
(d) Where information cannot be disclosed (for example the information contains reference to
(e) An individual may have appended to a record any alternative information where the office
is of the view that the appended information is, in fact, correct;
(f) A minimum administrative fee may be charged to supply the information.
9. Compliance
(a) Failure to comply with the Privacy Code constitutes a breach of CREA’s Code of Ethics
and Standards of Business Practice;
(b) Any complaints from an individual concerning the collection, use or disclosure of their
personal information or concerning the individual’s ability to access their personal
information must be referred to the privacy compliance officer, who will attempt to resolve
the complaint to the individual’s satisfaction;
(c) In the event the complaint cannot be resolved internally to the individual’s satisfaction, he
or she will be advised of where to direct the complaint.
Making
privacy work
in your
office
CREA
MAKING PRIVACY WORK
Office policy manuals for real estate offices and for boards/associations should be revised to
include privacy policies and procedures.
The CREA Privacy Code itself is intended to establish the fundamental guidelines of privacy and
reference to it should provide guidance in how to deal with privacy issues. Internal policies should be
as clear and concise as possible and should assist employees in giving effect to the principles of the
Code within your office environment.
The ten principles of the Code are inter-related and should be read together. By the same token, a
specific provision within an office policy may address a number of principles. The office policy
should therefore also be read as a whole.
This guideline contains explanations of how the ten principles of the Code can be applied at the
office level.
MAKING PRIVACY WORK
OFFICE POLICIES
A. The Policy Statement
Organizations should begin by adopting a general policy statement about their collection, use and
disclosure of personal information which could appear on brochures or other informational documents
provided to the public. This policy statement tells consumers in one or two sentences that your company
cares about privacy, that your company respects privacy rights and that your company will take all
reasonable steps to protect those rights. An example of such a statement is as follows:
“John Doe Realty Inc. only collects personal information necessary to effectively market
and sell the property of sellers, to locate, assess and qualify properties for buyers and to
otherwise provide professional and competent real estate services to clients and customers.”
B. The Person in Charge
The Code requires that organizations designate someone to be accountable for compliance. The Code
specifically states in Paragraph 1.1 that in the case of brokerages, this refers to the individual designated
to be responsible for the brokerage under the provincial licensing legislation. An example of an office
policy giving effect to this requirement (see Principle 1 – Accountability for more details) could be:
“_______________ is the person/position responsible for privacy compliance in this office.
His/her name shall be made available to consumers. The responsibilities of the privacy
compliance officer shall include:
(b) ensure policies are implemented by other organizations to which data-processing
functions are outsourced;
(d) evaluate the accessibility of sensitive information and take corrective action where
necessary;
(f) attempt to resolve consumer privacy complaints to the satisfaction of the consumer;
As you can see from this list of responsibilities, the function of the privacy compliance officer is really
an administrative one. This person will be responsible for implementing the privacy policies in the
office, training staff and responding to questions or concerns from members of the public. The theory
behind this requirement is that appointing a specific individual adds to the effectiveness and the efficiency
of a privacy policy. It ensures better responsiveness to privacy concerns from the public, and allows
someone internally to build up an expertise in privacy issues.
MAKING PRIVACY WORK
The Privacy Code allows this responsibility to be delegated, so the “accountable” person can hand
over the day-to-day responsibilities to someone else – for example, the office manager. In effect,
privacy compliance would then become another area of responsibility for the person running the office.
C. The Collection, Use and Disclosure of Personal Information
CREA’s Privacy Code sets out a number of requirements regarding collecting, using and disclosing
personal information. The basic requirements are as follows:
(1)
(2)
(3)
(4)
Identify to consumers the uses you intend to make of their personal information (Principle 2);
Collect only that information necessary for the uses identified (Principle 4);
Disclose information only for the reason it was collected (Principle 5);
Obtain the consent of the consumer for the collection and disclosure of information (Principle 3).
How does a realty firm give effect to these requirements?
(i)
Limiting Collection
First of all, an office policy should confirm that only necessary information is to be collected. An
example of wording is:
“Salespeople and other representatives of this office will collect only the information
necessary to facilitate the real estate transaction or otherwise provide professional and
competent service to clients and customers.”
TIPS: Minimizing information collection reduces costs and risks of inappropriate disclosures. Requests
for any information are inappropriate unless there is a specific requirement for that information.
On a listing, for example, the balance outstanding on the mortgage is relevant information. The
income of the vendor is likely not relevant and should not be collected. Likewise, requests for
social insurance numbers and credit card information are inappropriate.
REALTORS need to direct their minds to the question of what information is actually needed for
the job they are doing, and ensure the collect only that information.
(ii)
Identifying Purposes and Consent
All of the other requirements in this category can usually be satisfied by adding the appropriate clauses
to representation agreements.
The following is a suggested clause for listing agreements, bearing in mind that the personal information
collected from sellers has two separate uses – those of the brokerage in marketing the property and
those of the board and the operation of its MLS‚system;
MAKING PRIVACY WORK
Listing Agreement Clause For Broker Use of Information
Collection, Use and Disclosure of Personal Information (Version 1)
The seller consents to the collection, use and disclosure of personal information by
the broker for the purpose of listing and marketing the property including, but
not limited to:
(i)
(ii)
(iii)
listing and advertising the property, using any medium including
the Internet;
disclosing property information to prospective buyers, brokers,
salespersons and others who may assist in the sale of the property;
such other use of the seller’s personal information as is consistent
with listing and marketing of the property.
Collection, Use and Disclosure of Personal Information (Version 2)
The seller consents to the collection, use and disclosure of personal information by
the broker for the purpose of listing and marketing the property.
NOTE: Version 1 of this clause sets out the disclosures that CREA believes should be included in the listing agreement in order to obtain the informed consent of the seller to the collection and disclosure of the information. At the
same time, we recognize that many listing agreements already contain some or all of these disclosures. There’s no
need to duplicate clauses. If the various disclosures already exist in the body of the agreement, Version 2 of this
clause would be satisfactory. Alternatively, boards may wish to use Version 1 in order to collect the various clauses
together into one privacy disclosure paragraph.
Listing Agreement Clause For Use of Information by Boards
Collection, Use and Disclosure of Personal Information by the Board(s)
Operating the Multiple Listing Service(s)®
The seller consents to placement of the listing information and sales
information by the broker into the database(s) of the appropriate MLS®
system(s) and acknowledges that the MLS® database is the property of
the board(s) and can be licensed, resold, or otherwise dealt with by the
board(s). The seller further acknowledges that the board(s) may:
(i)
(ii)
distribute the information to any persons authorized to use such service
which may include other brokers, government departments, appraisers,
municipal organizations and others;
market the property, at its option, in any medium, including electronic
media;
MAKING PRIVACY WORK
(iii)
compile, retain and publish any statistics including historical MLS data
which may be used by licensed board members to conduct comparative
market analyses; and
make such other use of the information as the board deems appropriate in
connection with the listing, marketing and selling of real estate.
Note: It is strongly recommended that boards incorporate a clause of this nature in all listing
agreements.
A clause to accomplish the same purpose should be inserted into buyer agency agreements. A sample
clause is as follows:
Clause For Use in Buyer Agency Agreement
“The buyer consents to the collection, use and disclosure of personal information by the
broker for such purposes that relate to the real estate services provided by the broker
to the buyer including, but not limited to:
(i)
(ii)
(iii)
(iv)
locating, assessing and qualifying properties for the buyer;
advertising on behalf of the buyer;
providing information as needed to third parties retained by the buyer to assist
in a transaction (e.g. financial institutions, building inspectors, etc.…); and
such other use of the buyer’s information as is consistent with the services provided by the broker in connection with the purchase or prospective purchase of
the property.”
The buyer agrees that the sale and related information regarding any property
purchased by him through the broker may be retained and disclosed by the broker
and/or the board(s) for reporting, appraisal and statistical purposes.
Brokerages which have identified additional specific uses for information in the course of their business,
which would not be covered by these general clauses, should add those uses to their representation agreements.
NOTE: A question that has arisen is what happens if a seller gives a board permission to use the
information for all MLS® purposes and the buyer, after purchasing the property, says that the
information is now his and he wants the board to stop using it for any purpose. It appears that
one party cannot argue a “better right” to the information than the other. The better position is
that all of the information, with the possible exception of the buyer’s name, has been authorized
to be provided by the seller. It should not, then, be within the buyer’s power after the deal has
been closed to contact the board and indicate that he wishes this information to be deleted from
the MLS® system. The board has been given the consent to post that information by the seller.
The seller has at least as much right to the information as the buyer and the board should be able
to retain it.
MAKING PRIVACY WORK
These clauses in listing agreements and buyer agency agreements will likely cover all or virtually all of
the collection, use and disclosure made of information during the course of a standard residential transaction.
Once these clauses are incorporated into representation agreements, the office policy need only state:
“The approved form of representation agreements must always be used by salespeople”.
REALTORS must be aware of the content of the disclosure clauses in their representation agreements
and be prepared to explain their meaning to clients.
(iii) Aggregated Information
No consent is necessary for the disclosure of aggregated information which does not specify individuals – for example, housing statistics.
(iv) Other Methods of Consent
There are two types of consent, express and implied.
Express Consent –The most effective form of express consent is the clause discussed above inserted
into a representation agreement.
Other methods of obtaining express consent can include:
(a)
Phone
Would you like me to send you more information by mail or may I call you in the future to
discuss my services?
(b)
Response Card
Please check the box if you would like to receive further information about my services.
(c)
Telephone Key Pad or Computer
Press the following key if you wish to have your name included on my mailing list.
MAKING PRIVACY WORK
Implied Consent – Consent may be implied where the information is not sensitive and where it can be
reasonably assumed that the individual would expect the information to be disclosed in this fashion.
Examples of implied consent would include:
(a)
Telephone
An automated message from the salesperson inviting the listener to leave their name and address
to be sent specific information would imply that other information and marketing may be sent
to them.
(b)
Internet
An inquiry directed to an agent would imply the writer is interested in that particular type of
information or neighbourhood and follow-up marketing would not normally be inappropriate.
When relying on implied consent, the choices provided to the individual must be meaningful, easy to
understand, easy to execute and the opportunity to withdraw consent be provided as early as possible.
Office policies could specify the types of express and implied consent which are acceptable.
D. Use the Information Only As Disclosed
Once the client has been told what will be done with the information, REALTORS must be diligent to
use the information only for those disclosed purposes. This is a logical next step. The REALTOR has
told the client what use will be made of the information, and he or she is now required to use it only for
those purposes.
A common example of an unauthorized use of client information is the creation of a mailing list. This
list is sometimes sold or given to third parties, who then send information about their services to the
client. Alternatively, the REALTOR may use the list to send ongoing promotional material to the
clients. REALTORS using client names and contact information for any of these purposes must first
obtain the client’s consent.
E. Disclosure for New Purpose
Information can be used, without further consent, for all purposes reasonably expected in providing
real estate services in connection with a particular transaction. Any unrelated uses, however, require
prior consent.
New or unrelated uses really fall into two categories – unexpected uses of the information in the course
of a transaction such as supplying it to some government agency or other third party not originally
anticipated and being required to provide the information because of some legal intervention.
MAKING PRIVACY WORK
In the former case, office policies should simply confirm that express consent is necessary. Sample
wording might be:
“Anyone using personal information for some new purpose that extends beyond the consent
already provided, must obtain the express consent of the person for that use.”
In the latter case, consent is not required to disclose information if the organization is required by law
to do so (e.g. if served with a subpoena to produce documents, or a search warrant, or if required by a
statute). However, it is not appropriate to have office staff determine what falls into the definition of
“required by law”.
An office policy should, therefore, simply require that requests for information from authorities be
submitted to the individual managing the office. Sample wording could be:
“Requests for information by law enforcement officials, lawyers, private investigators or
other agents or subpoenas for documents issued by the court must be referred to the
office manager.”
Decisions as to whether to release specific information should then be made in consultation with a
lawyer.
F. Protecting Information
The next issue is how information is safeguarded once it is in the possession of the organization.
The basic policy principle of security which could be reflected in a policy manual is:
Information must be protected in a manner commensurate with its sensitivity, value and
criticality. This policy applies regardless of the media on which information is stored, the
locations where the information is stored, the systems used to process the information, or
the processes by which information is handled.
Obviously not all personal information is equally sensitive. The office policy should have in place common
sense guidelines regarding the three stages of information flow – collection, storage/use and destruction.
Collection
Collection safeguards can include:
(i)
If the information is likely to be regarded as sensitive (e.g. information concerning employment,
finances, health issues, etc….) collection should take place in an environment that offers privacy
and confidentiality;
MAKING PRIVACY WORK
(ii)
information that comes in through the mail or by fax should be routed to the intended recipient
directly;
(iii)
organizations should not be indiscriminate about who has access to personal information.
Information should be available on a “need-to-know” basis.
Storage
The policies involving the storage of personal information are set out in
Section 7.3 of the Privacy Code.
Record Retention
All offices should have in place record retention and destruction policies consistent with the laws of
your jurisdiction. Brokerages which do not currently have such policies should contact their local board.
G. Accuracy of and Access to Personal Information
Personal information should be not only protected physically as discussed above, but the integrity and
accuracy of the information should also be protected. A sample office policy provision might be:
“To ensure the quality of the information collected:
(a)
(b)
(c)
insofar as possible, personal information should be collected directly from the
consumer;
public property information (taxes, assessment data, etc.) should be verified with
the public source;
disclaimers of accuracy should always be attached to any disclosure of information”.
Individuals must be able to access their own personal information on request and be able to make any
necessary changes for accuracy.
A basic procedural guide is established in Section 9.2 of CREA’s Code.
MAKING PRIVACY WORK
There will be exceptions to the requirement to disclose personal information to individuals and may
include:
(i)
Personal information that contains references to other individuals;
(ii)
Information that cannot be disclosed for security reasons;
(iii) Information that is subject to solicitor-client privilege.
When in doubt as to whether to disclose information, legal advice should be sought. Reasons for the
non-disclosure must be given to the party requesting the information.
H. Openness
Individuals should be able to obtain information easily about the office’s privacy policies.
The CREA Privacy Code can be made available to individuals. Additionally, a brochure explaining
privacy policies should be in your waiting room.
A model brochure is included in this CD Rom.
I. Challenging Compliance
In order to be effective, the Code must have a complaints process.
The membership of The Canadian Real Estate Association adopted the Privacy Code as a national
policy at their Annual Meeting in October of 2001. The Privacy Code was not, however, incorporated
as part of CREA’s Code of Ethics and Standards of Business Practice. Organized real estate is not,
therefore, involved in the enforcement aspect of the Privacy Code in relation to brokers and salespeople
as it is with the Code of Ethics.
The Privacy Code is set up in such a way that complaints about non-compliance by real estate offices
must be directed in the first instance to the real estate office itself in an attempt to resolve complaints
internally to the satisfaction of the individual. If that process fails, the complaint will be referred to the
complaints process (if any) of the franchisor, or to the appropriate data protection enforcement authorities.
In the province of Quebéc, that authority is the Commission d’acces a l’information. At such time as
any other province passes comprehensive privacy legislation, that authority will likely be the provincial
privacy commission. In all other cases, the complaint should be referred to the Privacy Commissioner
of Canada.
!
The following two pages contain a PDF file that allows you to add
your name (or the name of your board or association) to a Customer
Information brochure and print out copies on your colour printer.
For larger quantities, this CD also contains two EPS files (one for
each side of the brochure) that you can send to your commercial
printer. These files can be found in the folder marked: ‘BROCHURE’.
CREA
Privacy Code
Highlights
Brochure
CREA
Protecting
your
privacy:
it’s our
business
YOUR
PRIVACY
In the usual course of real estate
transactions, REALTORS may require
from buyers and sellers, personal and
property information. Some of this
information may be considered
private. Collecting and sharing this
information is an essential part of the
buying and selling process. At the
same time, few things are more
important to individuals than their
privacy. REALTORS recognize the
rights of buyers and sellers to protect
and the
and control their personal information.
REALTORS are committed to using
Real Estate
Transaction
fair information practices when dealing
with your personal information. This
brochure explains what we do with
your information and how you control
it. If you have any questions, speak to
your REALTOR or contact your local
real estate board or your provincial
real estate association.
REALTOR is a trademark of REALTOR
CANADA Inc., a company owned in
part by The Canadian Real Estate
Association and is used to identify real
estate brokers and salespersons who
are members of their local board,
provincial association and CREA.
© Copyright CREA 2002
Personalize your brochure!
Change the type below
then print it out.!
Courtesy of:
BROKER/BOARD/ASSOCIATION NAME
Address line 1
Address line 2
Frequently Asked Questions...
1. What is personal
information?
Personal information is any
information about an identifiable
individual. This does not include
information which is publicly available
such as a phone directory listing your
name, address and telephone number.
2. How do REALTORS collect
personal information?
Most information will be obtained
directly from you, the client.
REALTORS may also collect
information from other sources such
as credit bureaus and government
agencies, as needed. At the time
information is collected, you will be
told what uses will be made of it, and
your consent to that collection and use
will be obtained.
3. What do REALTORS do with
my information?
Your information is used to facilitate
the real estate transaction. Effectively
marketing your house involves
advertising the property in any
medium, including electronic media
(e.g. newspapers, real
estate publications, Internet web sites)
and will also disclosing property
information to other salespersons and
prospective buyers. If the listing is on
MLS®, the property information will be
given to the real estate board or
boards operating the Multiple Listing
Service(s)®. The listing information
will be distributed through the MLS®
system to any persons authorized to
use the service (which may include
other REALTORS, appraisers,
government departments and others)
and may be marketed by the board in
various media, including the Internet.
Property information, including sales
data, is kept in the MLS® database
following the completion of the
transaction and is available to users of
the system for comparative market
analysis and valuation purposes. Both
current and historical data is essential
to the operation of the MLS® system
and by placing your listing on the
MLS® system, you are agreeing to
allow this ongoing use of listing and
sales information.
4. How do I find out what
personal information a
REALTOR has about me?
You should be able to see your
personal information held by a realty
firm or real estate board/association by
calling, writing or visiting the
organization in person. There may be
specific procedures you have to follow
or forms you have to fill out, and the
firm or board/association has the right
to charge a minimal fee for the service.
5. Can I correct my personal
information that is wrong?
Yes, you can. Contact the particular
firm or board/association, explain
the correction you are requesting and
why. If you can show the information is
inaccurate or incomplete, it will be
corrected.
6. Is there a review process?
Yes. If you have any questions or
concerns about the way your personal
information has been collected, used
or disclosed or if access to your
personal information has been
improperly refused, or if the company
has refused to correct erroneous
information, try to settle the matter
directly with the firm. It has procedures
in place to respond to complaints. If
you’re not satisfied, you can contact
the Privacy Commissioner of Canada,
at [email protected] or by
calling 1-800- 282-1376.
PRIVACY CODE
REALTORS abide by the Privacy
Code of The Canadian Real Estate
Association. which sets out the
commitment of REALTORS and your
rights regarding the privacy of your
personal information. We will:
• Obtain your consent when we
collect, use or disclose your
personal information
• Only use the information for the
purposes we discussed with you
• Allow you access to your information
• Have privacy policies that are
clear and understandable
PRIVACY TOOLKIT
for REALTORS
Frequently
asked
questions
CREA
FREQUENTLY ASKED QUESTIONS
1. What is the purpose of PIPEDA?
The purpose of the Personal Information Protection and Electronic Documents Act (PIPEDA) is to
provide Canadians with the right of privacy with respect to their personal information that is collected,
used or disclosed by an organization in the private sector.
2. What is “personal information”?
Personal information is defined as “information about an identifiable individual”. This definition is,
for all intents and purposes, all encompassing and includes such things as a person’s race, age, marital
status, education, medical, criminal, employment or financial history, address and telephone number
and details about real and personal property ownership.
3. How is personal information protected?
All organizations collecting personal information will be required to put in place policies and procedures
which give effect to the ten principles of privacy which are set out in Schedule 1 to PIPEDA.
4. Where do these principles come from and how do they work?
The ten privacy principles are based on the “Model Code for the Protection of Personal Information”,
which was developed by the Canadian Standards Association in 1996. This Model Code was formulated
based on extensive input from the business sector and was intended to establish guidelines which
protected information, while at the same time being business-friendly.
The ten principles of privacy, when taken together, define the key business obligations and the key
consumer rights in terms of protection of personal information.
In a nutshell, the principles require the company collecting information to inform the consumer as to
what uses are going to be made of the information and to obtain the informed consent of the individual
for the collection, use and distribution of that information. The general rule is that no one else can make
use of a person’s personal information without that person’s consent. An individual has a right of access
to their personal information that is held by the company and has a right to have it corrected, if necessary.
5. Are there any exceptions?
PIPEDA does provide for a few exceptions to the general requirement of obtaining an individual’s
consent. Some groups, such as law enforcement agencies and journalists, have a lawful or investigative
need to collect, use and disclose personal information without having to obtain the consent of concerned
individuals. For these reasons, some of the exemptions include:
•
•
personal information collected solely for journalistic, artistic or literary purposes;
if the action clearly benefits the individual or if obtaining permission could infringe on the
information’s accuracy;
•
•
where such data can contribute to a legal investigation or aid in an emergency where peoples’
lives or safety can be at stake;
if disclosure aids come in times of emergency, matters of legal investigation, or facilitates
the conservation of historically important records.
6. When, and to what industries will PIPEDA apply?
PIPEDA will eventually apply to every organization that collects, uses or discloses personal information
in the course of commercial activity. “Commercial activity” is any activity that is of a commercial
character and certainly includes the real estate industry. An “organization” is a company, association,
a partnership or a person.
To encourage harmonization of provincial and federal privacy protection laws, the Bill adopts a phasein approach. Effective January 1, 2001, the legislation applied to federally regulated private sector
companies, including telecommunication, broadcasting, banking and inter-provincial transportation.
It also applies to federal crown corporations operating in these areas such as Atomic Energy of Canada
Limited, the Canadian Broadcasting Corporation and so on.
The provisions of the legislation also applied, at that time, to trade in personal information that occurs
inter-provincially or internationally.
The provisions will apply more broadly to all personal information collected, used or disclosed in the
course of commercial activities as of January 1, 2004. If, however, a province passes a law that is
substantially similar to PIPEDA, the organization’s activities covered by the provincial law will be
exempted from the federal law. At this time, Québec is the only province that has substantially similar
legislation.
7. If provinces are going to pass their own privacy laws, with the
result that PIPEDA will not apply, why are we making all these
efforts to comply with PIPEDA?
While federal/provincial jurisdictional questions are going to result in some interesting times, there are
at least four reasons why it is important to understand and comply with PIPEDA now.
Firstly, all provinces may not pass their own legislation. PIPEDA will remain the governing legislation
in those jurisdictions.
Secondly, the intent of the federal regulators is to ensure that provinces adopt basic harmonized rules
for the protection of personal information. Only legislation which is “substantially similar” to PIPEDA
will exempt the province. It is apparent that to be “substantially similar”, legislation will have to be
based on the same ten principles as PIPEDA.
Thirdly, CREA’s Privacy Code, which is the national standard in organized real estate and is based on
PIPEDA, is effective now.
Fourthly, with privacy having been identified as a key factor in consumer decision making, most
businesses are encouraged to act sooner rather than later in establishing privacy policies.
8. What happens to the personal information my firm/board already has?
The personal information currently held by a REALTOR organization would not be exempt. Therefore
organizations must ensure that the information already collected meets the requirements of the Act and
has been collected accordingly. In other words:
(a) existing information can continue to be used without anything more, as long as the use is
consistent with the purpose for which it was collected in the first place;
(b) any secondary use for which consent was not obtained would offend the Act.
As an example, you collected personal information from a client a number of years ago when you
listed their house. You subsequently put their name on a mailing list and continue to send them
promotional and marketing materials. If you told them at the time you were doing this, and they
agreed, you can continue to do so. If you did not identify this use when you collected the information,
you cannot continue to maintain the mailing list without now obtaining the consent of the persons on it.
9. So if I maintain a mailing list of former clients and I didn’t get consent at
the time, do I have to contact each person and get them to positively consent
to being left on the list?
No. Both PIPEDA and the Privacy Code recognize the concept of “negative option consent”. You can
send everyone on the list a notice that they are on the list and here’s what you use it for. The notice
must provide that if the person wishes to be removed from the list, he or she can indicate so on the
notice (or by some other means) and return it to you. If no such notification is received by you, consent
is deemed to have been given.
10. What happens to the personal information my firm holds in case of a
sale or acquisition by another organization?
Unless you have indicated otherwise when collecting the information, the information can be used by
the acquiring company as long as it used for the same purpose for which it was collected.
PRIVACY TOOLKIT
for REALTORS
Brokers,
owners, and
managers...
what you
need to know
CREA
WHAT YOU NEED TO KNOW
• YOUR FIRM IS RESPONSIBLE for all personal information collected by your salespeople
(Principle 1, Privacy Code)
• YOU ARE REQUIRED TO AMEND YOUR CURRENT OFFICE POLICIES to incorporate
provisions which comply with the Privacy Code ( “Sample Office Policies for Realty Firms” and
“Making Privacy Work in Your Office”)
• AN INDIVIDUAL IN YOUR OFFICE MUST BE DESIGNATED THE PRIVACY
COMPLIANCE OFFICER ( Principle 1, Privacy Code). This person is responsible for
implementing the privacy policies, training staff and responding to questions from members of the
public.
• ENSURE THAT LISTING AND BUYER AGENCY AGREEMENTS used by your office contain
privacy disclosures. Many provincial associations have already incorporated such disclosures into
their forms. If not, see sample clauses in “Making Privacy Work in Your Office”. Make sure your
office uses only approved forms.
• ALL PERSONAL INFORMATION IN YOUR OFFICE MUST BE ADEQUATELY
PROTECTED to ensure that it is not lost, stolen, copied or modified without permission (Principle
7, Privacy Code). The level of protection depends on the sensitivity of the information, but should
include locked filing cabinets and computer passwords. You also must have a record retention and
destruction program.
• CLEAN OUT YOUR FILES. Destroy files which serve no purpose and do not need to be retained
in accordance with a record retention program. Cull the files that are necessary to be retained and
remove useless and irrelevant information that would not have been collected under an effective
privacy policy.
• YOUR FIRM MUST BE READY TO ADVISE CONSUMERS OF YOUR PRIVACY
POLICIES (Principle 8, Privacy Code and see the Brochure). Brochures in the waiting room,
Privacy Code on wall serve this purpose.
• CONSUMERS MUST BE ABLE TO ACCESS PERSONAL INFORMATION your office is
holding on them (Principle 9, Privacy Code; “Sample Office Policies For Realty Firms” and “Making
Privacy Work in Your Office”). The office must have in place a process to accommodate these
requests, and information must be provided at minimal or no cost. Principle 9, Privacy Code includes
a sample procedure. Consumers have the right to correct any inaccurate information.
WHAT YOU NEED TO KNOW
• TRAIN YOUR STAFF AND SALESPEOPLE ON HOW THE PRIVACY POLICIES WORK.
Implement regular updating privacy sessions. Training is absolutely essential. All office
representatives should understand the privacy polices. All salespersons should be specifically trained
to: disclose to consumers the uses information will be put to at the time it is collected; obtain the
informed consent of the consumer to those uses; collect only the information necessary for the
transaction; only use and disclose the information as they said they would.
• CONSUMERS MUST BE ABLE TO COMPLAIN TO THE OFFICE that the Principles of the
Code have not been adhered to (Principle 10, Privacy Code). The Privacy Compliance Officer must
address any complaints and try to resolve them. If unsuccessful, the consumer must be advised of
where the complaint can be directed.
PRIVACY TOOLKIT
for REALTORS
Salespersons’
do’s and don’ts
CREA
DO’S AND DON’TS
DO:
• FAMILIARIZE YOURSELF WITH THE PRIVACY POLICIES OF YOUR OFFICE. Every
realty office must implement privacy policies. These policies, however, are only as effective as the
people operating under them. You cannot effectively put these policies into practice if you don’t
know what they say or what they mean. Read and understand the policies. Ask questions.
• ADVISE CLIENTS WHAT YOU WILL BE DOING WITH THE PERSONAL
INFORMATION YOU ARE COLLECTING (Principle 2, Privacy Code; Office Policies; “Making
Privacy Work in Your Office”). Understand that there are two separate aspects to this disclosure.
Consumers must understand that you use the information to market the property and you also give
the information to the real estate board operating the MLS® system. The board then has specific
uses for the information. Always be completely transparent as to what you are doing with the
information. Ensure that the listing and buyer agency forms you are using contain disclosure clauses
which explain these uses in more detail. Familiarize yourself with these clauses.
• GET THE CONSENT OF THE CLIENT TO THE USES DISCLOSED (Principle 3, Privacy
Code; Office Policies; “Making Privacy Work in Your Office”). Familiarize yourself with the different
types of consent –express (written or oral) and implied. Ensure that when you are sending information
to any third party you are doing so with the proper consents.
• COLLECT ONLY THE INFORMATION YOU NEED TO EFFECTIVELY REPRESENT
THE CLIENT IN THE TRANSACTION (Principle 4, Privacy Code; Office Policies; “Making
Privacy Work in Your Office”). Direct your minds to this issue when you are collecting information.
Only essential information, necessary for the transaction, is to be collected. Create a list for your
own use of the usual required information.
• USE AND DISCLOSE THE INFORMATION ONLY IN A MANNER CONSISTENT WITH
THE REASON IT WAS COLLECTED (Principle 5, Privacy Code; Office Policies; “Making
Privacy Work in Your Office”). You are collecting the information to market the property for sellers
and to locate and qualify properties for buyers. Use it to do that and nothing else. If you do
anything else with it (mailing lists, selling names to third parties etc…), get the express consent of
the client to that use.
All of the discussion above can be summarized like this: Tell them what you’re going to do with the
information, get their consent to do that, just collect the information you need to do what you said, and
then only do with it what you said you were going to do with it.
• TAKE REASONABLE STEPS TO ENSURE THE INFORMATION IS AS ACCURATE AS
POSSIBLE WHEN YOU COLLECT IT (Principle 6, Privacy Code). As much as possible, collect
information from the person who has the first-hand knowledge, not some third party. Always verify
public property information with the public source.
DO’S AND DON’TS
DO NOT:
• ASSUME THAT BECAUSE PRIVACY DISCLOSURES ARE IN THE CONTRACT YOU
DON’T HAVE TO EXPLAIN ANYTHING ABOUT PRIVACY TO THE CLIENT. Tell them
to read the clause and ask you anything they don’t understand. Give them a copy of the privacy
brochure. Discuss the issue of privacy with them
• ASSUME THAT YOU HAVE IMPLIED CONSENT for any use that is not clearly and obviously
related to the transaction. Any other uses, no matter how “harmless” or non-invasive require the
express consent of the client.
• MARKET BACK TO YOUR CLIENT or send unsolicited materials to them unless they have
agreed to be on a list of that nature.
• SHARE PERSONAL INFORMATION WITH ANY THIRD PARTIES without the consent of
the individual. Don’t sell or rent mailing lists. Don’t give your clients’ names to other service
providers (movers, lawyers, building inspectors, etc…) so they can try to sell their services.
PRIVACY TOOLKIT
for REALTORS
Resources
CREA
RESOURCES
I. Reference Materials
1. The Personal Information and Electronic Documents Act (2001).
2. Your Privacy Rights: A Guide For Canadians (a publication of the Office of the Privacy
Commissioner of Canada).
3. Your Privacy Responsibilities: A Guide For Businesses and Organizations (a publication
of the Office of the Privacy Commissioner of Canada).
II. Useful Links
1. REALTOR Link™, http://www.realtorlink.ca.
All updates to this CD-ROM will appear on REALTORlink ™, the national Intranet site
of organized real estate.
2. Privacy Commissioner of Canada, http://www.privcom.gc.ca.
The Privacy Commissioner of Canada is the overseeing body responsible for enforcement
of PIPEDA. The site also contains much useful reference material and related links.
3. Industry Canada Electronic Commerce Site, http://e-com.ic.gc.ca.
Canada’s Electronic Commerce policy works hand-in-hand with privacy. Check this site
out to see Canada’s strategic plan for e-commerce and privacy.
4. Canadian Standards Association, http://www.csa.ca.
The CSA developed the original model voluntary Privacy Code upon which the new privacy
legislation is based.
5. Public Interest Advocacy Centre, http://www.piac.ca
PIAC, a non-profit organization which supports consumer interests, has been actively
involved in the development of privacy regulation in Canada.
6. Electronic Frontier Canada, http://insight.mcmaster.ca/org/efc/efc.html.
EFC is a civil liberties organization looking to protect privacy and free expression in the
electronic age.
RESOURCES
III. Provincial/Territorial Privacy Commissioners.
British Columbia
Information and Privacy Commissioner of British Columbia
4-1675 Douglas Street
Victoria, British Columbia V8V 1X4
Phone: (250) 387-5629
Toll-free: 1 (800) 663-7867 (free within B.C.)
Fax: (250) 387-1696
Email: [email protected]
Web Site: http://www.oipcbc.org/
Alberta
A/Information and Privacy Commissioner for Alberta
410, 9925 - 109 Street, Edmonton, Alberta T5K 2J8
Phone: (780) 422-6860
Fax: (780) 422-5682
Web Site: http://www.oipc.ab.ca/
Saskatchewan
Information, Privacy and Conflict of Interest
Commissioner of Saskatchewan
700-1914 Hamilton Street
Regina, Saskatchewan S4P 3N6
Phone: (306) 522-3030
Fax: (306) 522-3555
Web Site: http://www.legassembly.sk.ca/legassembly/Officers/informat.htm
RESOURCES
Manitoba
Office of the Ombudsman
500 Portage Avenue
Winnipeg, Manitoba R3C 3X1
Phone: (204) 982-9130
Toll-free: 1 (800) 665-0531
Fax: (204) 942-7803
Web Site: http://www.ombudsman.mb.ca/
Ontario
Information and Privacy Commissioner of Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
Phone: (416) 326-3333
Toll-free: 1 (800) 387-0073 (free within Ontario)
Fax: (416) 325-9195
Web Site: http://www.ipc.on.ca/
Québec
La Commission d’accès à l’information du Québec
575, rue St. Amable
Bureau 1.10
Québec, Québec G1R 2G4
Phone: (418) 528-7741
Fax: (418) 529-3102
Toll-free: 1 (888) 528-7741 (free within Québec)
Web Site: http://www.cai.gouv.qc.ca/
RESOURCES
New Brunswick
Office of the Ombudsman
Province of New Brunswick
767 Brunswick Street
P.O. Box 6000
Fredericton, New Brunswick E3B 5H1
Phone: (506) 453-2789
Toll-free: 1 (800) 561-4021 (free within N.B.)
Fax: (506) 457-7896
Nova Scotia
Freedom of Information and Privacy Review Officer
Freedom of Information and Privacy Review Office
P.O. Box 181
Halifax, Nova Scotia B3J 2M4
Phone: (902) 424-4684
Fax: (902) 424-8303
Web Site: http://www.gov.ns.ca/foiro/
Prince Edward Island
Assistant Clerk of the Committee
Legislative Assembly
P.O. Box 200
Charlottetown, P.E.I. C1A 7N8
Phone: (902) 368-5970
Fax: (902) 368-5175
RESOURCES
Newfoundland
Director of Legal Services
Department of Justice of Newfoundland
Confederation Building
P.O. BOX 8700
St. John’s, Newfoundland A1B 4J6
Phone: (709) 729-2893
Fax: (709) 729-2129
Web Site: http://www.gov.nf.ca/just/
Yukon
Ombudsman and Information and Privacy Commissioner of the Yukon
211 Main Street, Suite 200
P.O. Box 2703
Whitehorse, Yukon Territory Y1A 2C6
Phone: (867) 667-8468
Fax: (867) 667-8469
Web Site: http://www.ombudsman.yk.ca/
North West Territories & Nunavut
Information and Privacy Commissioner of the Northwest Territories
5018, 47th street
Yellowknife, Northwest Territories X1A 2N2
Phone: (867) 669-0976
Fax: (867) 920-2511
Second Session, Thirty-sixth Parliament,
48-49 Elizabeth II, 1999-2000
Deuxième session, trente-sixième législature,
48-49 Elizabeth II, 1999-2000
STATUTES OF CANADA 2000
LOIS DU CANADA (2000)
CHAPTER 5
CHAPITRE 5
An Act to support and promote electronic commerce by
protecting personal information that is collected, used
or disclosed in certain circumstances, by providing for
the use of electronic means to communicate or record
information or transactions and by amending the
Canada Evidence Act, the Statutory Instruments Act
and the Statute Revision Act
Loi visant à faciliter et à promouvoir le commerce
électronique en protégeant les renseignements
personnels recueillis, utilisés ou communiqués dans
certaines circonstances, en prévoyant l’utilisation de
moyens électroniques pour communiquer ou
enregistrer de l’information et des transactions et en
modifiant la Loi sur la preuve au Canada, la Loi sur les
textes réglementaires et la Loi sur la révision des lois
BILL C-6
PROJET DE LOI C-6
ASSENTED TO 13th APRIL, 2000
SANCTIONNÉ LE 13 AVRIL 2000
RECOMMENDATION
RECOMMANDATION
His Excellency the Governor General recommends to the House of
Commons the appropriation of public revenue under the circumstances,
in the manner and for the purposes set out in a measure entitled ‘‘An Act
to support and promote electronic commerce by protecting personal
information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or
record information or transactions and by amending the Canada
Evidence Act, the Statutory Instruments Act and the Statute Revision
Act’’.
Son Excellence la gouverneure générale recommande à la Chambre
des communes l’affectation de deniers publics dans les circonstances,
de la manière et aux fins prévues dans une mesure intitulée « Loi visant
à faciliter et à promouvoir le commerce électronique en protégeant les
renseignements personnels recueillis, utilisés ou communiqués dans
certaines circonstances, en prévoyant l’utilisation de moyens électroniques pour communiquer ou enregistrer de l’information et des
transactions et en modifiant la Loi sur la preuve au Canada, la Loi sur
les textes réglementaires et la Loi sur la révision des lois ».
SUMMARY
SOMMAIRE
Part 1 of this enactment establishes a right to the protection of
personal information collected, used or disclosed in the course of
commercial activities, in connection with the operation of a federal
work, undertaking or business or interprovincially or internationally.
La partie 1 du texte établit le droit à la protection des renseignements
personnels recueillis, utilisés ou communiqués dans le cadre d’activités
commerciales, dans le cadre d’une entreprise fédérale ou d’une
province à l’autre ou d’un pays à l’autre.
It establishes the following principles to govern the collection, use
and disclosure of personal information: accountability, identifying the
purposes for the collection of personal information, obtaining consent,
limiting collection, limiting use, disclosure and retention, ensuring
accuracy, providing adequate security, making information management policies readily available, providing individuals with access to
information about themselves, and giving individuals a right to
challenge an organization’s compliance with these principles.
Elle énonce les principes qui doivent régir la collecte, l’utilisation et
la communication des renseignements personnels : la responsabilité, la
détermination des fins de la collecte, l’obtention d’un consentement, la
limitation de la collecte, de l’utilisation, de la communication et de la
conservation, l’exactitude, l’existence de mesures de sécurité adéquates, l’accès facile aux politiques sur la gestion des renseignements
personnels, l’accès d’un individu aux renseignements qui le concernent
et la possibilité de porter plainte contre le non-respect des principes par
une organisation.
It further provides for the Privacy Commissioner to receive
complaints concerning contraventions of the principles, conduct
investigations and attempt to resolve such complaints. Unresolved
disputes relating to certain matters can be taken to the Federal Court for
resolution.
De plus, elle octroie au Commissaire à la protection de la vie privée
le pouvoir de recevoir les plaintes relatives au non-respect des
principes, de procéder à l’examen de celles-ci et de tenter de parvenir
à leur règlement. Certains différends non réglés peuvent être portés
devant la Cour fédérale.
Part 2 sets out the legislative scheme by which requirements in
federal statutes and regulations that contemplate the use of paper or do
not expressly permit the use of electronic technology may be
administered or complied with in the electronic environment. It grants
authority to the appropriate authorities to make regulations about how
those requirements may be satisfied using electronic means.
La partie 2 énonce le projet législatif dans lequel les exigences dans
les lois fédérales et les règlements fédéraux pour des copies papier de
documents, sans permettre spécifiquement l’utilisation de technologies
électroniques, peuvent être gérées ou satisfaites dans un environnement
électronique. Cette partie autorise les autorités concernées à prendre des
règlements sur la manière de satisfaire à ces exigences par des moyens
électroniques.
All parliamentary publications are available on the
Parliamentary Internet Parlementaire at the following address:
http://www.parl.gc.ca
Toutes les publications parlementaires sont disponibles sur le
réseau électronique «ĂParliamentary Internet ParlementaireĂ» à
l'adresse suivante:
http://www.parl.gc.ca
Part 2 also describes the characteristics of secure electronic
signatures and grants authority to make regulations prescribing
technologies or processes for the purpose of the definition ‘‘secure
electronic signature’’.
De plus, elle énonce les critères pour une signature électronique
sécurisée et autorise la prise de règlements prescrivant les technologies
et les procédés pour l’application de la définition de « signature
électronique sécurisée ».
Part 3 amends the Canada Evidence Act to facilitate the admissibility
of electronic documents, to establish evidentiary presumptions related
to secure electronic signatures, and to provide for the recognition as
evidence of notices, acts and other documents published electronically
by the Queen’s Printer.
La partie 3 modifie la Loi sur la preuve au Canada pour faciliter
l’admissibilité des documents électroniques, pour établir des présomptions relatives aux signatures électroniques sécurisées et pour reconnaître comme élément de preuve les avis, actes et autres documents publiés
sur support électronique par l’imprimeur de la Reine.
Part 4 amends the Statutory Instruments Act to authorize the
publication of the Canada Gazette by electronic means.
La partie 4 modifie la Loi sur les textes réglementaires pour autoriser
la publication de la Gazette du Canada par moyen électronique.
Part 5 amends the Statute Revision Act to authorize the publication
and distribution of an electronic version of the Consolidated Statutes
and Regulations of Canada.
En dernier lieu, la partie 5 modifie la Loi sur la révision des lois pour
autoriser la publication et la diffusion d’une version électronique des
lois codifiées et des règlements codifiés du Canada.
TABLE OF PROVISIONS
TABLE ANALYTIQUE
AN ACT TO SUPPORT AND PROMOTE ELECTRONIC
COMMERCE BY PROTECTING PERSONAL INFORMATION
THAT IS COLLECTED, USED OR DISCLOSED IN CERTAIN
CIRCUMSTANCES, BY PROVIDING FOR THE USE OF
ELECTRONIC MEANS TO COMMUNICATE OR RECORD
INFORMATION OR TRANSACTIONS AND BY AMENDING
THE CANADA EVIDENCE ACT, THE STATUTORY
INSTRUMENTS ACT AND THE STATUTE REVISION ACT
LOI VISANT À FACILITER ET À PROMOUVOIR LE
COMMERCE ÉLECTRONIQUE EN PROTÉGEANT LES
RENSEIGNEMENTS PERSONNELS RECUEILLIS, UTILISÉS
OU COMMUNIQUÉS DANS CERTAINES CIRCONSTANCES,
EN PRÉVOYANT L’UTILISATION DE MOYENS
ÉLECTRONIQUES POUR COMMUNIQUER OU
ENREGISTRER DE L’INFORMATION ET DES
TRANSACTIONS ET EN MODIFIANT LA LOI SUR LA
PREUVE AU CANADA, LA LOI SUR LES TEXTES
RÉGLEMENTAIRES ET LA LOI SUR LA RÉVISION DES
LOIS
SHORT TITLE
TITRE ABRÉGÉ
1.
Personal Information Protection and Electronic Documents
Act
1.
Loi sur la protection des renseignements personnels et les
documents électroniques.
PART 1
PARTIE 1
PROTECTION OF PERSONAL INFORMATION IN THE
PRIVATE SECTOR
PROTECTION DES RENSEIGNEMENTS PERSONNELS
DANS LE SECTEUR PRIVÉ
Interpretation
Définitions
2.
Definitions
3.
Purpose
2.
Définitions
3.
Objet
Purpose
Objet
Application
4.
Application
Champ d’application
4.
DIVISION 1
SECTION 1
PROTECTION OF PERSONAL INFORMATION
5.
Compliance with obligations
5.
Obligation de se conformer aux obligations
6.
Effect of designation of individual
6.
Conséquence de la désignation d’une personne
7.
Collection without knowledge or consent
7.
Collecte à l’insu de l’intéressé et sans son consentement
8.
Written request
8.
Demande écrite
9.
When access prohibited
9.
Cas où la communication est interdite
10.
Sensory disability
10.
Déficience sensorielle
11.
Contravention
DIVISION 2
SECTION 2
REMEDIES
RECOURS
Filing of Complaints
Dépôt des plaintes
11.
Violation
ii
Investigations of Complaints
12.
Powers of Commissioner
Examen des plaintes
12.
Pouvoirs du commissaire
Commissioner’s Report
13.
Contents
Rapport du commissaire
13.
Contenu
Hearing by Court
Audience de la Cour
14.
Application
14.
Demande
15.
Commissioner may apply or appear
15.
Exercice du recours par le commissaire
16.
Remedies
16.
Réparations
17.
Summary hearings
17.
Procédure sommaire
DIVISION 3
SECTION 3
AUDITS
VÉRIFICATIONS
18.
To ensure compliance
18.
Contrôle d’application
19.
Report of findings and recommendations
19.
Rapport des conclusions et recommandations du
commissaire
DIVISION 4
SECTION 4
GENERAL
20.
Confidentiality
DISPOSITIONS GÉNÉRALES
20.
Secret
21.
Not competent witness
21.
Qualité pour témoigner
22.
Protection of Commissioner
22.
Immunité du commissaire
23.
Consultations with provinces
23.
Consultation avec les provinces
24.
Promoting the purposes of the Part
24.
Promotion de l’objet de la partie
25.
Annual report
25.
Rapport annuel
26.
Regulations
26.
Règlements
27.
Whistleblowing
27.
Dénonciation
27.1.
Prohibition
27.1.
Interdiction
28.
Offence and punishment
28.
Infraction et peine
29.
Review of Part by parliamentary committee
29.
Examen par un comité parlementaire
30.
DIVISION 5
SECTION 5
TRANSITIONAL PROVISIONS
DISPOSITIONS TRANSITOIRES
Application
30.
Application
PART 2
PARTIE 2
ELECTRONIC DOCUMENTS
DOCUMENTS ÉLECTRONIQUES
Interpretation
31.
Definitions
Définitions
31.
Définitions
Purpose
32.
Purpose
Objet
32.
Objet
iii
Electronic Alternatives
Moyens électroniques
33.
Collection, storage, etc.
33.
Collecte, mise en mémoire, etc.
34.
Electronic payment
34.
Paiements par voie électronique
35.
Electronic version of statutory form
35.
Version électronique des formulaires d’origine législative
36.
Documents as evidence or proof
36.
Preuve par documents
37.
Retention of documents
37.
Conservation des documents
38.
Notarial act
38.
Actes notariés
39.
Seals
39.
Sceaux
40.
Requirements to provide documents or information
40.
Obligation de fournir des documents ou de l’information
41.
Writing requirements
41.
Documents sous forme écrite
42.
Original documents
42.
Documents originaux
43.
Signatures
43.
Signatures
44.
Statements made under oath
44.
Déclarations sous serment
45.
Statements declaring truth, etc.
45.
Déclarations
46.
Witnessed signatures
46.
Signatures devant témoin
47.
Copies
47.
Exemplaires
Regulations and Orders
Règlements et décrets
48.
Regulations
48.
Règlements
49.
Amendment of schedules
49.
Modification des annexes
50.
Regulations
50.
Règlements
51.
Effect of striking out listed provision
51.
Effet d’une disposition supprimée de la liste
PART 3
AMENDMENTS TO THE CANADA EVIDENCE ACT
52-57. Canada Evidence Act
PARTIE 3
MODIFICATION DE LA LOI SUR LA PREUVE AU CANADA
52-57. Loi sur la preuve au Canada
PART 4
AMENDMENTS TO THE STATUTORY INSTRUMENTS ACT
58-59. Statutory Instruments Act
PARTIE 4
MODIFICATION DE LA LOI SUR LES TEXTES
RÉGLEMENTAIRES
58-59. Loi sur les textes réglementaires
PART 5
AMENDMENTS TO THE STATUTE REVISION ACT
60-71. Statute Revision Act
PARTIE 5
MODIFICATION DE LA LOI SUR LA RÉVISION DES LOIS
60-71. Loi sur la révision des lois
PART 6
72.
COMING INTO FORCE
Coming into force
SCHEDULES
PARTIE 6
72.
ENTRÉE EN VIGUEUR
Entrée en vigueur
ANNEXES
48-49 ELIZABETH II
48-49 ELIZABETH II
CHAPTER 5
CHAPITRE 5
An Act to support and promote electronic
commerce by protecting personal
information that is collected, used or
disclosed in certain circumstances, by
providing for the use of electronic means
to communicate or record information or
transactions and by amending the
Canada Evidence Act, the Statutory
Instruments Act and the Statute Revision
Act
Loi visant à faciliter et à promouvoir le
commerce électronique en protégeant les
renseignements personnels recueillis,
utilisés ou communiqués dans certaines
circonstances, en prévoyant l’utilisation
de moyens électroniques pour communiquer ou enregistrer de l’information et des
transactions et en modifiant la Loi sur la
preuve au Canada, la Loi sur les textes
réglementaires et la Loi sur la révision des
lois
[Assented to 13th April, 2000]
[Sanctionnée le 13 avril 2000]
Her Majesty, by and with the advice and
consent of the Senate and House of Commons
of Canada, enacts as follows:
Sa Majesté, sur l’avis et avec le consentement du Sénat et de la Chambre des communes du Canada, édicte :
SHORT TITLE
TITRE ABRÉGÉ
1. This Act may be cited as the Personal
Information Protection and Electronic Documents Act.
1. Loi sur la protection des renseignements
personnels et les documents électroniques.
PART 1
PARTIE 1
PROTECTION OF PERSONAL
INFORMATION IN THE PRIVATE
SECTOR
PROTECTION DES RENSEIGNEMENTS
PERSONNELS DANS LE SECTEUR
PRIVÉ
Interpretation
2. (1) The definitions in this subsection
apply in this Part.
Définitions
2. (1) Les définitions qui suivent s’appliquent à la présente partie.
‘‘alternative
format’’
« support de
substitution »
‘‘alternative format’’, with respect to personal
information, means a format that allows a
person with a sensory disability to read or
listen to the personal information.
« activité
commerciale »
‘‘commercial
activity’’
‘‘commercial
activity’’
« activité
commerciale »
‘‘commercial activity’’ means any particular
transaction, act or conduct or any regular
course of conduct that is of a commercial
character, including the selling, bartering or
leasing of donor, membership or other fundraising lists.
« activité commerciale » Toute activité régulière ainsi que tout acte isolé qui revêtent un
caractère commercial de par leur nature, y
compris la vente, le troc ou la location de
listes de donneurs, d’adhésion ou de collecte de fonds.
« commissaire » Le Commissaire à la protection de la vie privée nommé en application
de l’article 53 de la Loi sur la protection des
renseignements personnels.
« commissaire »
‘‘Commissioner’’
Short title
Definitions
Titre abrégé
Définitions
2
‘‘Commissioner’’
« commissaire »
C. 5
48-49 ELIZ. II
« Cour » La Section de première instance de
la Cour fédérale.
« Cour »
‘‘Court’’
« document »
‘‘record’’
(a) a work, undertaking or business that
is operated or carried on for or in
connection with navigation and shipping,
whether inland or maritime, including
the operation of ships and transportation
by ship anywhere in Canada;
« document » Tous éléments d’information,
quels que soient leur forme et leur support,
notamment correspondance, note, livre,
plan, carte, dessin, diagramme, illustration
ou graphique, photographie, film, microforme, enregistrement sonore, magnétoscopique ou informatisé, ou toute reproduction
de ces éléments d’information.
« entreprises fédérales » Les installations, ouvrages, entreprises ou secteurs d’activité
qui relèvent de la compétence législative du
Parlement. Sont compris parmi les entreprises fédérales :
« entreprises
fédérales »
‘‘federal
work,
undertaking
or business’’
(b) a railway, canal, telegraph or other
work or undertaking that connects a
province with another province, or that
extends beyond the limits of a province;
a) les installations, ouvrages, entreprises
ou secteurs d’activité qui se rapportent à
la navigation et aux transports par eau,
notamment l’exploitation de navires et le
transport par navire partout au Canada;
‘‘Commissioner’’ means the Privacy Commissioner appointed under section 53 of the
Privacy Act.
‘‘Court’’
« Cour »
‘‘Court’’ means the Federal Court—Trial Division.
‘‘federal
work,
undertaking
or business’’
« entreprises
fédérales »
‘‘federal work, undertaking or business’’
means any work, undertaking or business
that is within the legislative authority of
Parliament. It includes
(c) a line of ships that connects a province
with another province, or that extends
beyond the limits of a province;
(d) a ferry between a province and
another province or between a province
and a country other than Canada;
(e) aerodromes, aircraft or a line of air
transportation;
(f) a radio broadcasting station;
(g) a bank;
b) les installations ou ouvrages, notamment les chemins de fer, canaux ou
liaisons télégraphiques, reliant une province à une autre, ou débordant les
limites d’une province, et les entreprises
correspondantes;
c) les lignes de transport par bateaux à
vapeur ou autres navires, reliant une
province à une autre, ou débordant les
limites d’une province;
(h) a work that, although wholly situated
within a province, is before or after its
execution declared by Parliament to be
for the general advantage of Canada or
for the advantage of two or more provinces;
d) les passages par eaux entre deux
provinces ou entre une province et un
pays étranger;
(i) a work, undertaking or business
outside the exclusive legislative authority of the legislatures of the provinces;
and
g) les banques;
(j) a work, undertaking or business to
which federal laws, within the meaning
of section 2 of the Oceans Act, apply
under section 20 of that Act and any
regulations made under paragraph
26(1)(k) of that Act.
e) les aéroports, aéronefs ou lignes de
transport aérien;
f) les stations de radiodiffusion;
h) les ouvrages qui, bien qu’entièrement
situés dans une province, sont, avant ou
après leur réalisation, déclarés par le
Parlement être à l’avantage général du
Canada ou à l’avantage de plusieurs
provinces;
i) les installations, ouvrages, entreprises
ou secteurs d’activité ne ressortissant pas
au pouvoir législatif exclusif des législatures provinciales;
1999-2000
Protection des renseignements personnels et documents électroniques
‘‘organization’’
« organisation »
‘‘organization’’ includes an association, a
partnership, a person and a trade union.
‘‘personal
health
information’’
« renseignement
personnel
sur la santé »
‘‘personal health information”, with respect to
an individual, whether living or deceased,
means
(a) information concerning the physical
or mental health of the individual;
(b) information concerning any health
service provided to the individual;
(c) information concerning the donation
by the individual of any body part or any
bodily substance of the individual or
information derived from the testing or
examination of a body part or bodily
substance of the individual;
(d) information that is collected in the
course of providing health services to the
individual; or
(e) information that is collected incidentally to the provision of health services to
the individual.
‘‘personal
information’’
« renseignement
personnel »
‘‘personal information’’ means information
about an identifiable individual, but does
not include the name, title or business address or telephone number of an employee
of an organization.
‘‘record’’
« document »
‘‘record’’ includes any correspondence, memorandum, book, plan, map, drawing, diagram,
pictorial
or
graphic
work,
photograph, film, microform, sound recording, videotape, machine-readable record and any other documentary material,
regardless of physical form or characteristics, and any copy of any of those things.
Notes in
Schedule 1
(2) In this Part, a reference to clause 4.3 or
4.9 of Schedule 1 does not include a reference
to the note that accompanies that clause.
ch. 5
3
j) les installations, ouvrages, entreprises
ou secteurs d’activité auxquels le droit,
au sens de l’alinéa a) de la définition de
« droit » à l’article 2 de la Loi sur les
océans, s’applique en vertu de l’article
20 de cette loi et des règlements pris en
vertu de l’alinéa 26(1)k) de la même loi.
« organisation » S’entend notamment des associations, sociétés de personnes, personnes et organisations syndicales.
« organisation »
‘‘organization’’
« renseignement personnel » Tout renseignement concernant un individu identifiable, à
l’exclusion du nom et du titre d’un employé
d’une organisation et des adresse et numéro
de téléphone de son lieu de travail.
« renseignement
personnel »
‘‘personal
information’’
« renseignement personnel sur la santé » En
ce qui concerne un individu vivant ou décédé :
a) tout renseignement ayant trait à sa
santé physique ou mentale;
« renseignement
personnel
sur la santé »
‘‘personal
health
information’’
b) tout renseignement relatif aux services
de santé fournis à celui-ci;
c) tout renseignement relatif aux dons de
parties du corps ou de substances corporelles faits par lui, ou tout renseignement
provenant des résultats de tests ou d’examens effectués sur une partie du corps ou
une substance corporelle de celui-ci;
d) tout renseignement recueilli dans le
cadre de la prestation de services de santé
à celui-ci;
e) tout renseignement recueilli fortuitement lors de la prestation de services de
santé à celui-ci.
« support de substitution » Tout support permettant à une personne ayant une déficience sensorielle de lire ou d’écouter des renseignements personnels.
« support de
substitution »
‘‘alternative
format’’
(2) Dans la présente partie, la mention des
articles 4.3 ou 4.9 de l’annexe 1 ne vise pas les
notes afférentes.
Notes de
l’annexe 1
4
Purpose
Application
C. 5
Purpose
Objet
3. The purpose of this Part is to establish, in
an era in which technology increasingly
facilitates the circulation and exchange of
information, rules to govern the collection,
use and disclosure of personal information in
a manner that recognizes the right of privacy
of individuals with respect to their personal
information and the need of organizations to
collect, use or disclose personal information
for purposes that a reasonable person would
consider appropriate in the circumstances.
3. La présente partie a pour objet de fixer,
dans une ère où la technologie facilite de plus
en plus la circulation et l’échange de renseignements, des règles régissant la collecte,
l’utilisation et la communication de renseignements personnels d’une manière qui tient
compte du droit des individus à la vie privée
à l’égard des renseignements personnels qui
les concernent et du besoin des organisations
de recueillir, d’utiliser ou de communiquer
des renseignements personnels à des fins
qu’une personne raisonnable estimerait acceptables dans les circonstances.
Application
4. (1) This Part applies to every organization in respect of personal information that
4. (1) La présente partie s’applique à toute
organisation à l’égard des renseignements
personnels :
(a) the organization collects, uses or discloses in the course of commercial activities; or
Limit
Objet
Champ
d’application
a) soit qu’elle recueille, utilise ou communique dans le cadre d’activités commerciales;
(b) is about an employee of the organization
and that the organization collects, uses or
discloses in connection with the operation
of a federal work, undertaking or business.
b) soit qui concernent un de ses employés et
qu’elle recueille, utilise ou communique
dans le cadre d’une entreprise fédérale.
(2) This Part does not apply to
(2) La présente partie ne s’applique pas :
(a) any government institution to which the
Privacy Act applies;
a) aux institutions fédérales auxquelles
s’applique la Loi sur la protection des
renseignements personnels;
(b) any individual in respect of personal
information that the individual collects,
uses or discloses for personal or domestic
purposes and does not collect, use or
disclose for any other purpose; or
Other Acts
48-49 ELIZ. II
Limite
b) à un individu à l’égard des renseignements personnels qu’il recueille, utilise ou
communique à des fins personnelles ou
domestiques et à aucune autre fin;
(c) any organization in respect of personal
information that the organization collects,
uses or discloses for journalistic, artistic or
literary purposes and does not collect, use
or disclose for any other purpose.
c) à une organisation à l’égard des renseignements personnels qu’elle recueille, utilise ou communique à des fins journalistiques, artistiques ou littéraires et à aucune
autre fin.
(3) Every provision of this Part applies
despite any provision, enacted after this
subsection comes into force, of any other Act
of Parliament, unless the other Act expressly
declares that that provision operates despite
the provision of this Part.
(3) Toute disposition de la présente partie
s’applique malgré toute disposition — édictée après l’entrée en vigueur du présent
paragraphe — d’une autre loi fédérale, sauf
dérogation expresse de la disposition de
l’autre loi.
Autre loi
1999-2000
ch. 5
5
DIVISION 1
SECTION 1
PROTECTION OF PERSONAL INFORMATION
Compliance
with
obligations
5. (1) Subject to sections 6 to 9, every
organization shall comply with the obligations
set out in Schedule 1.
5. (1) Sous réserve des articles 6 à 9, toute
organisation doit se conformer aux obligations énoncées dans l’annexe 1.
Obligation de
se conformer
aux
obligations
Meaning of
‘‘should’’
(2) The word ‘‘should’’, when used in
Schedule 1, indicates a recommendation and
does not impose an obligation.
(2) L’emploi du conditionnel dans l’annexe
1 indique qu’il s’agit d’une recommandation
et non d’une obligation.
Emploi du
conditionnel
Appropriate
purposes
(3) An organization may collect, use or
disclose personal information only for purposes that a reasonable person would consider
are appropriate in the circumstances.
(3) L’organisation ne peut recueillir, utiliser
ou communiquer des renseignements personnels qu’à des fins qu’une personne raisonnable
estimerait acceptables dans les circonstances.
Fins
acceptables
Effect of
designation of
individual
6. The designation of an individual under
clause 4.1 of Schedule 1 does not relieve the
organization of the obligation to comply with
the obligations set out in that Schedule.
6. La désignation d’une personne en application de l’article 4.1 de l’annexe 1 n’exempte
pas l’organisation des obligations énoncées
dans cette annexe.
Conséquence
de la
désignation
d’une
personne
Collection
without
knowledge or
consent
7. (1) For the purpose of clause 4.3 of
Schedule 1, and despite the note that accompanies that clause, an organization may collect personal information without the knowledge or consent of the individual only if
7. (1) Pour l’application de l’article 4.3 de
l’annexe 1 et malgré la note afférente, l’organisation ne peut recueillir de renseignement
personnel à l’insu de l’intéressé et sans son
consentement que dans les cas suivants :
Collecte à
l’insu de
l’intéressé et
sans son
consentement
(a) the collection is clearly in the interests
of the individual and consent cannot be
obtained in a timely way;
a) la collecte du renseignement est manifestement dans l’intérêt de l’intéressé et le
consentement ne peut être obtenu auprès de
celui-ci en temps opportun;
(b) it is reasonable to expect that the
collection with the knowledge or consent of
the individual would compromise the availability or the accuracy of the information
and the collection is reasonable for purposes related to investigating a breach of an
agreement or a contravention of the laws of
Canada or a province;
(c) the collection is solely for journalistic,
artistic or literary purposes; or
(d) the information is publicly available and
is specified by the regulations.
Use without
knowledge or
consent
b) il est raisonnable de s’attendre à ce que
la collecte effectuée au su ou avec le
consentement de l’intéressé puisse compromettre l’exactitude du renseignement ou
l’accès à celui-ci, et la collecte est raisonnable à des fins liées à une enquête sur la
violation d’un accord ou la contravention
du droit fédéral ou provincial;
c) la collecte est faite uniquement à des fins
journalistiques, artistiques ou littéraires;
d) il s’agit d’un renseignement réglementaire auquel le public a accès.
(2) For the purpose of clause 4.3 of
Schedule 1, and despite the note that accompanies that clause, an organization may,
without the knowledge or consent of the
individual, use personal information only if
(2) Pour l’application de l’article 4.3 de
l’annexe 1 et malgré la note afférente, l’organisation ne peut utiliser de renseignement
personnel à l’insu de l’intéressé et sans son
consentement que dans les cas suivants :
(a) in the course of its activities, the
organization becomes aware of information
that it has reasonable grounds to believe
could be useful in the investigation of a
a) dans le cadre de ses activités, l’organisation découvre l’existence d’un renseignement dont elle a des motifs raisonnables de
croire qu’il pourrait être utile à une enquête
Utilisation à
l’insu de
l’intéressé et
sans son
consentement
6
C. 5
contravention of the laws of Canada, a
province or a foreign jurisdiction that has
been, is being or is about to be committed,
and the information is used for the purpose
of investigating that contravention;
(b) it is used for the purpose of acting in
respect of an emergency that threatens the
life, health or security of an individual;
Disclosure
without
knowledge or
consent
48-49 ELIZ. II
sur une contravention au droit fédéral,
provincial ou étranger qui a été commise ou
est en train ou sur le point de l’être, et
l’utilisation est faite aux fins d’enquête;
b) l’utilisation est faite pour répondre à une
situation d’urgence mettant en danger la
vie, la santé ou la sécurité de tout individu;
(c) it is used for statistical, or scholarly
study or research, purposes that cannot be
achieved without using the information, the
information is used in a manner that will
ensure its confidentiality, it is impracticable
to obtain consent and the organization
informs the Commissioner of the use before
the information is used;
c) l’utilisation est faite à des fins statistiques
ou à des fins d’étude ou de recherche
érudites, ces fins ne peuvent être réalisées
sans que le renseignement soit utilisé,
celui-ci est utilisé d’une manière qui en
assure le caractère confidentiel, le consentement est pratiquement impossible à obtenir et l’organisation informe le commissaire
de l’utilisation avant de la faire;
(c.1) it is publicly available and is specified
by the regulations; or
c.1) il s’agit d’un renseignement réglementaire auquel le public a accès;
(d) it was collected under paragraph (1)(a)
or (b).
d) le renseignement a été recueilli au titre
des alinéas (1)a) ou b).
(3) For the purpose of clause 4.3 of
Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the
disclosure is
(3) Pour l’application de l’article 4.3 de
l’annexe 1 et malgré la note afférente, l’organisation ne peut communiquer de renseignement personnel à l’insu de l’intéressé et sans
son consentement que dans les cas suivants :
(a) made to, in the Province of Quebec, an
advocate or notary or, in any other province,
a barrister or solicitor who is representing
the organization;
a) la communication est faite à un avocat — dans la province de Québec, à un
avocat ou à un notaire — qui représente
l’organisation;
(b) for the purpose of collecting a debt owed
by the individual to the organization;
b) elle est faite en vue du recouvrement
d’une créance que celle-ci a contre l’intéressé;
(c) required to comply with a subpoena or
warrant issued or an order made by a court,
person or body with jurisdiction to compel
the production of information, or to comply
with rules of court relating to the production
of records;
c) elle est exigée par assignation, mandat ou
ordonnance d’un tribunal, d’une personne
ou d’un organisme ayant le pouvoir de
contraindre à la production de renseignements ou exigée par des règles de procédure
se rapportant à la production de documents;
(c.1) made to a government institution or
part of a government institution that has
made a request for the information, identified its lawful authority to obtain the
information and indicated that
c.1) elle est faite à une institution gouvernementale — ou à une subdivision d’une telle
institution — qui a demandé à obtenir le
renseignement en mentionnant la source de
l’autorité légitime étayant son droit de
l’obtenir et le fait, selon le cas :
(i) it suspects that the information relates
to national security, the defence of Canada or the conduct of international affairs,
(i) qu’elle soupçonne que le renseignement est afférent à la sécurité nationale,
à la défense du Canada ou à la conduite
des affaires internationales,
Communication à l’insu
de l’intéressé
et sans son
consentement
1999-2000
ch. 5
(ii) the disclosure is requested for the
purpose of enforcing any law of Canada,
a province or a foreign jurisdiction,
carrying out an investigation relating to
the enforcement of any such law or
gathering intelligence for the purpose of
enforcing any such law, or
(ii) que la communication est demandée
aux fins du contrôle d’application du
droit canadien, provincial ou étranger, de
la tenue d’enquêtes liées à ce contrôle
d’application ou de la collecte de renseignements en matière de sécurité en vue
de ce contrôle d’application,
(iii) the disclosure is requested for the
purpose of administering any law of
Canada or a province;
(iii) qu’elle est demandée pour l’application du droit canadien ou provincial;
(d) made on the initiative of the organization to an investigative body, a government
institution or a part of a government
institution and the organization
(i) has reasonable grounds to believe that
the information relates to a breach of an
agreement or a contravention of the laws
of Canada, a province or a foreign
jurisdiction that has been, is being or is
about to be committed, or
(ii) suspects that the information relates
to national security, the defence of Canada or the conduct of international affairs;
(e) made to a person who needs the
information because of an emergency that
threatens the life, health or security of an
individual and, if the individual whom the
information is about is alive, the organization informs that individual in writing
without delay of the disclosure;
(f) for statistical, or scholarly study or
research, purposes that cannot be achieved
without disclosing the information, it is
impracticable to obtain consent and the
organization informs the Commissioner of
the disclosure before the information is
disclosed;
(g) made to an institution whose functions
include the conservation of records of
historic or archival importance, and the
disclosure is made for the purpose of such
conservation;
(h) made after the earlier of
(i) one hundred years after the record
containing the information was created,
and
d) elle est faite, à l’initiative de l’organisation, à un organisme d’enquête, une institution gouvernementale ou une subdivision
d’une telle institution et l’organisation,
selon le cas, a des motifs raisonnables de
croire que le renseignement est afférent à la
violation d’un accord ou à une contravention au droit fédéral, provincial ou étranger
qui a été commise ou est en train ou sur le
point de l’être ou soupçonne que le renseignement est afférent à la sécurité nationale,
à la défense du Canada ou à la conduite des
affaires internationales;
e) elle est faite à toute personne qui a besoin
du renseignement en raison d’une situation
d’urgence mettant en danger la vie, la santé
ou la sécurité de toute personne et, dans le
cas où la personne visée par le renseignement est vivante, l’organisation en informe
par écrit et sans délai cette dernière;
f) elle est faite à des fins statistiques ou à des
fins d’étude ou de recherche érudites, ces
fins ne peuvent être réalisées sans que le
renseignement soit communiqué, le
consentement est pratiquement impossible
à obtenir et l’organisation informe le commissaire de la communication avant de la
faire;
g) elle est faite à une institution dont les
attributions comprennent la conservation
de documents ayant une importance historique ou archivistique, en vue d’une telle
conservation;
h) elle est faite cent ans ou plus après la
constitution du document contenant le
renseignement ou, en cas de décès de
l’intéressé, vingt ans ou plus après le décès,
dans la limite de cent ans;
7
8
C. 5
(ii) twenty years after the death of the
individual whom the information is
about;
(h.1) of information that is publicly available and is specified by the regulations;
(h.2) made by an investigative body and the
disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of
Canada or a province; or
48-49 ELIZ. II
h.1) il s’agit d’un renseignement réglementaire auquel le public a accès;
h.2) elle est faite par un organisme d’enquête et est raisonnable à des fins liées à une
enquête sur la violation d’un accord ou la
contravention du droit fédéral ou provincial;
i) elle est exigée par la loi.
(i) required by law.
Use without
consent
(4) Despite clause 4.5 of Schedule 1, an
organization may use personal information for
purposes other than those for which it was
collected in any of the circumstances set out in
subsection (2).
(4) Malgré l’article 4.5 de l’annexe 1,
l’organisation peut, dans les cas visés au
paragraphe (2), utiliser un renseignement
personnel à des fins autres que celles auxquelles il a été recueilli.
Utilisation
sans le
consentement de
l’intéressé
Disclosure
without
consent
organization may disclose personal information for purposes other than those for which it
was collected in any of the circumstances set
out in paragraphs (3)(a) to (h.2).
l’organisation peut, dans les cas visés aux
alinéas (3)a) à h.2), communiquer un renseignement personnel à des fins autres que celles
auxquelles il a été recueilli.
Communication sans le
consentement de
l’intéressé
Written
request
8. (1) A request under clause 4.9 of
Schedule 1 must be made in writing.
8. (1) La demande prévue à l’article 4.9 de
l’annexe 1 est présentée par écrit.
Demande
écrite
Assistance
(2) An organization shall assist any individual who informs the organization that they
need assistance in preparing a request to the
organization.
(2) Sur requête de l’intéressé, l’organisation
fournit à celui-ci l’aide dont il a besoin pour
préparer sa demande.
Aide à
fournir
Time limit
(3) An organization shall respond to a
request with due diligence and in any case not
later than thirty days after receipt of the
request.
(3) L’organisation saisie de la demande doit
y donner suite avec la diligence voulue et, en
tout état de cause, dans les trente jours suivant
sa réception.
Délai de
réponse
Extension of
time limit
(4) An organization may extend the time
limit
(4) Elle peut toutefois proroger le délai visé
au paragraphe (3) :
Prorogation
du délai
(a) for a maximum of thirty days if
(i) meeting the time limit would unreasonably interfere with the activities of the
organization, or
a) d’une période maximale de trente jours
dans les cas où :
(i) l’observation du délai entraverait
gravement l’activité de l’organisation,
(ii) the time required to undertake any
consultations necessary to respond to the
request would make the time limit impracticable to meet; or
(ii) toute consultation nécessaire pour
donner suite à la demande rendrait pratiquement impossible l’observation du
délai;
(b) for the period that is necessary in order
to be able to convert the personal information into an alternative format.
b) de la période nécessaire au transfert des
renseignements visés sur support de substitution.
1999-2000
9
ch. 5
In either case, the organization shall, no later
than thirty days after the date of the request,
send a notice of extension to the individual,
advising them of the new time limit, the reasons for extending the time limit and of their
right to make a complaint to the Commissioner in respect of the extension.
Dans l’un ou l’autre cas, l’organisation envoie
au demandeur, dans les trente jours suivant la
demande, un avis de prorogation l’informant
du nouveau délai, des motifs de la prorogation
et de son droit de déposer auprès du commissaire une plainte à propos de la prorogation.
Deemed
refusal
(5) If the organization fails to respond
within the time limit, the organization is
deemed to have refused the request.
(5) Faute de répondre dans le délai, l’organisation est réputée avoir refusé d’acquiescer
à la demande.
Présomption
Costs for
responding
(6) An organization may respond to an
individual’s request at a cost to the individual
only if
(6) Elle ne peut exiger de droits pour
répondre à la demande que si, à la fois, elle
informe le demandeur du montant approximatif de ceux-ci et celui-ci l’avise qu’il ne retire
pas sa demande.
Coût
(a) the organization has informed the individual of the approximate cost; and
(b) the individual has advised the organization that the request is not being withdrawn.
Reasons
(7) An organization that responds within the
time limit and refuses a request shall inform
the individual in writing of the refusal, setting
out the reasons and any recourse that they may
have under this Part.
(7) L’organisation qui refuse, dans le délai
prévu, d’acquiescer à la demande notifie par
écrit au demandeur son refus motivé et
l’informe des recours que lui accorde la
présente partie.
Refus motivé
Retention of
information
organization that has personal information
that is the subject of a request shall retain the
information for as long as is necessary to allow
the individual to exhaust any recourse under
this Part that they may have.
l’organisation qui détient un renseignement
faisant l’objet d’une demande doit le conserver le temps nécessaire pour permettre au
demandeur d’épuiser ses recours.
Conservation
des
renseignements
When access
prohibited
9. (1) Despite clause 4.9 of Schedule 1, an
organization shall not give an individual
access to personal information if doing so
would likely reveal personal information
about a third party. However, if the information about the third party is severable from the
record containing the information about the
individual, the organization shall sever the
information about the third party before
giving the individual access.
9. (1) Malgré l’article 4.9 de l’annexe 1,
l’organisation ne peut communiquer de renseignement à l’intéressé dans le cas où cette
communication révélerait vraisemblablement
un renseignement personnel sur un tiers.
Toutefois, si ce dernier renseignement peut
être retranché du document en cause, l’organisation est tenue de le retrancher puis de
communiquer à l’intéressé le renseignement
le concernant.
Cas où la
communication est
interdite
Limit
(2) Subsection (1) does not apply if the third
party consents to the access or the individual
needs the information because an individual’s
life, health or security is threatened.
(2) Le paragraphe (1) ne s’applique pas si le
tiers consent à la communication ou si l’intéressé a besoin du renseignement parce que la
vie, la santé ou la sécurité d’un individu est en
danger.
Nonapplication
Information
related to
paragraphs
7(3)(c), (c.1)
or (d)
(2.1) An organization shall comply with
subsection (2.2) if an individual requests that
the organization
(2.1) L’organisation est tenue de se conformer au paragraphe (2.2) si l’intéressé lui
demande :
Renseignements relatifs
aux al. 7(3)c),
c.1) ou d)
10
C. 5
(a) inform the individual about
(i) de toute communication faite à une
institution gouvernementale ou à une
subdivision d’une telle institution en
vertu de l’alinéa 7(3)c), des sous-alinéas
7(3)c.1)(i) ou (ii) ou de l’alinéa 7(3)d),
(ii) the existence of any information that
the organization has relating to a disclosure referred to in subparagraph (i), to a
subpoena, warrant or order referred to in
paragraph 7(3)(c) or to a request made by
a government institution or a part of a
government institution under subparagraph 7(3)(c.1)(i) or (ii); or
(ii) de l’existence de renseignements
détenus par l’organisation et relatifs soit
à toute telle communication, soit à une
assignation, un mandat ou une ordonnance visés à l’alinéa 7(3)c), soit à une
demande de communication faite par une
institution gouvernementale ou une subdivision d’une telle institution en vertu
de ces sous-alinéas;
(2.2) An organization to which subsection
(2.1) applies
(a) shall, in writing and without delay,
notify the institution or part concerned of
the request made by the individual; and
(b) shall not respond to the request before
the earlier of
(i) the day on which it is notified under
subsection (2.3), and
(ii) thirty days after the day on which the
institution or part was notified.
Objection
a) de l’aviser, selon le cas :
(i) any disclosure of information to a
government institution or a part of a
government institution under paragraph
7(3)(c), subparagraph 7(3)(c.1)(i) or (ii)
or paragraph 7(3)(d), or
(b) give the individual access to the information referred to in subparagraph
(a)(ii).
Notification
and response
48-49 ELIZ. II
(2.3) Within thirty days after the day on
which it is notified under subsection (2.2), the
institution or part shall notify the organization
whether or not the institution or part objects to
the organization complying with the request.
The institution or part may object only if the
institution or part is of the opinion that
compliance with the request could reasonably
be expected to be injurious to
(a) national security, the defence of Canada
or the conduct of international affairs; or
(b) the enforcement of any law of Canada,
a province or a foreign jurisdiction, an
investigation relating to the enforcement of
any such law or the gathering of intelligence for the purpose of enforcing any such
law.
b) de lui communiquer ces renseignements.
(2.2) Le cas échéant, l’organisation :
Notification
et réponse
a) notifie par écrit et sans délai la demande
à l’institution gouvernementale ou à la
subdivision d’une telle institution concernée;
b) ne peut donner suite à la demande avant
le jour où elle reçoit l’avis prévu au
paragraphe (2.3) ou, s’il est antérieur, le
trentième jour suivant celui où l’institution
ou la subdivision reçoit notification.
(2.3) Dans les trente jours suivant celui où
la demande lui est notifiée, l’institution ou la
subdivision avise l’organisation du fait qu’elle
s’oppose ou non à ce que celle-ci acquiesce à
la demande. Elle ne peut s’y opposer que si
elle est d’avis que faire droit à la demande
risquerait vraisemblablement de nuire :
a) à la sécurité nationale, à la défense du
Canada ou à la conduite des affaires internationales;
b) au contrôle d’application du droit canadien, provincial ou étranger, à une enquête
liée à ce contrôle d’application ou à la
collecte de renseignements en matière de
sécurité en vue de ce contrôle d’application.
Opposition
1999-2000
Prohibition
ch. 5
11
(2.4) Malgré l’article 4.9 de l’annexe 1, si
elle est informée que l’institution ou la
subdivision s’oppose à ce qu’elle acquiesce à
la demande, l’organisation :
Refus
d’acquiescer
à la demande
(2.4) Despite clause 4.9 of Schedule 1, if an
organization is notified under subsection (2.3)
that the institution or part objects to the
organization complying with the request, the
organization
(a) shall refuse the request to the extent that
it relates to paragraph (2.1)(a) or to information referred to in subparagraph
(2.1)(a)(ii);
(b) shall notify the Commissioner, in writing and without delay, of the refusal; and
(c) shall not disclose to the individual
(i) any information that the organization
has relating to a disclosure to a government institution or a part of a government
institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph
7(3)(d) or to a request made by a
government institution or a part of a
government institution under either of
those subparagraphs,
(ii) that the organization notified an
institution or part under paragraph
(2.2)(a) or the Commissioner under paragraph (b), or
(iii) that the institution or part objects.
a) refuse d’y acquiescer dans la mesure où
la demande est visée à l’alinéa (2.1)a) ou se
rapporte à des renseignements visés à cet
alinéa;
b) en avise par écrit et sans délai le
commissaire;
c) ne communique à l’intéressé :
(i) ni les renseignements détenus par
l’organisation et relatifs à toute communication faite à une institution gouvernementale ou à une subdivision d’une telle
institution en vertu de l’alinéa 7(3)c), des
sous-alinéas 7(3)c.1)(i) ou (ii) ou de
l’alinéa 7(3)d) ou à une demande de
communication faite par une institution
gouvernementale ou une subdivision
d’une telle institution en vertu de ces
sous-alinéas,
(ii) ni le fait qu’il y a eu notification de la
demande à l’institution gouvernementale
ou à une subdivision en application de
l’alinéa (2.2)a) ou que le commissaire en
a été avisé en application de l’alinéa b),
(iii) ni le fait que l’institution ou la
subdivision s’oppose à ce que l’organisme acquiesce à la demande.
When access
may be
refused
(3) Despite the note that accompanies
clause 4.9 of Schedule 1, an organization is not
required to give access to personal information only if
(a) the information is protected by solicitorclient privilege;
(b) to do so would reveal confidential
commercial information;
(c) to do so could reasonably be expected to
threaten the life or security of another
individual;
(c.1) the information was collected under
paragraph 7(1)(b); or
(d) the information was generated in the
course of a formal dispute resolution process.
(3) Malgré la note afférente à l’article 4.9 de
l’annexe 1, l’organisation n’est pas tenue de
communiquer à l’intéressé des renseignements personnels dans les cas suivants seulement :
a) les renseignements sont protégés par le
secret professionnel liant l’avocat à son
client;
b) la communication révélerait des renseignements commerciaux confidentiels;
c) elle risquerait vraisemblablement de
nuire à la vie ou la sécurité d’un autre
individu;
c.1) les renseignements ont été recueillis au
titre de l’alinéa 7(1)b);
Cas où la
communication peut
être refusée
12
C. 5
However, in the circumstances described in
paragraph (b) or (c), if giving access to the information would reveal confidential commercial information or could reasonably be expected to threaten the life or security of another individual, as the case may be, and that information is severable from the record containing any other information for which access
is requested, the organization shall give the individual access after severing.
48-49 ELIZ. II
d) les renseignements ont été fournis uniquement à l’occasion d’un règlement officiel des différends.
Toutefois, dans les cas visés aux alinéas b) ou
c), si les renseignements commerciaux confidentiels ou les renseignements dont la communication risquerait vraisemblablement de
nuire à la vie ou la sécurité d’un autre individu
peuvent être retranchés du document en cause,
l’organisation est tenue de faire la communication en retranchant ces renseignements.
Limit
(4) Subsection (3) does not apply if the
individual needs the information because an
individual’s life, health or security is threatened.
(4) Le paragraphe (3) ne s’applique pas si
l’intéressé a besoin des renseignements parce
que la vie, la santé ou la sécurité d’un individu
est en danger.
Nonapplication
Notice
(5) If an organization decides not to give
access to personal information in the circumstances set out in paragraph (3)(c.1), the
organization shall, in writing, so notify the
Commissioner, and shall include in the notification any information that the Commissioner
may specify.
(5) Si elle décide de ne pas communiquer
les renseignements dans le cas visé à l’alinéa
(3)c.1), l’organisation en avise par écrit le
commissaire et lui fournit les renseignements
qu’il peut préciser.
Avis
Sensory
disability
10. An organization shall give access to
personal information in an alternative format
to an individual with a sensory disability who
has a right of access to personal information
under this Part and who requests that it be
transmitted in the alternative format if
10. L’organisation communique les renseignements personnels sur support de substitution à toute personne ayant une déficience
sensorielle qui y a droit sous le régime de la
présente partie et qui en fait la demande, dans
les cas suivants :
Déficience
sensorielle
(a) a version of the information already
exists in that format; or
a) une version des renseignements visés
existe déjà sur un tel support;
(b) its conversion into that format is reasonable and necessary in order for the individual to be able to exercise rights under this
Part.
b) leur transfert sur un tel
raisonnable et nécessaire pour
sonne puisse exercer les droits
conférés sous le régime de
partie.
Contravention
support est
que la perqui lui sont
la présente
DIVISION 2
SECTION 2
REMEDIES
RECOURS
Filing of Complaints
Dépôt des plaintes
11. (1) An individual may file with the
Commissioner a written complaint against an
organization for contravening a provision of
Division 1 or for not following a recommendation set out in Schedule 1.
11. (1) Tout intéressé peut déposer auprès
du commissaire une plainte contre une organisation qui contrevient à l’une des dispositions
de la section 1 ou qui omet de mettre en oeuvre
une recommandation énoncée dans l’annexe 1.
Violation
1999-2000
13
ch. 5
Commissioner
may initiate
complaint
(2) If the Commissioner is satisfied that
there are reasonable grounds to investigate a
matter under this Part, the Commissioner may
initiate a complaint in respect of the matter.
(2) Le commissaire peut lui-même prendre
l’initiative d’une plainte s’il a des motifs
raisonnables de croire qu’une enquête devrait
être menée sur une question relative à l’application de la présente partie.
Plaintes
émanant du
commissaire
Time limit
(3) A complaint that results from the refusal
to grant a request under section 8 must be filed
within six months, or any longer period that
the Commissioner allows, after the refusal or
after the expiry of the time limit for responding to the request, as the case may be.
(3) Lorsqu’elle porte sur le refus d’acquiescer à une demande visée à l’article 8, la plainte
doit être déposée dans les six mois suivant,
selon le cas, le refus ou l’expiration du délai
pour répondre à la demande, à moins que le
commissaire n’accorde un délai supplémentaire.
Délai
Notice
(4) The Commissioner shall give notice of
a complaint to the organization against which
the complaint was made.
(4) Le commissaire donne avis de la plainte
à l’organisation visée par celle-ci.
Avis
Investigations of Complaints
Examen des plaintes
12. (1) The Commissioner shall conduct an
investigation in respect of a complaint and, for
that purpose, may
12. (1) Le commissaire procède à l’examen
de toute plainte et, à cette fin, a le pouvoir :
Powers of
Commissioner
(a) summon and enforce the appearance of
persons before the Commissioner and compel them to give oral or written evidence on
oath and to produce any records and things
that the Commissioner considers necessary
to investigate the complaint, in the same
manner and to the same extent as a superior
court of record;
(b) administer oaths;
a) d’assigner et de contraindre des témoins
à comparaître devant lui, à déposer verbalement ou par écrit sous la foi du serment et
à produire les documents ou pièces qu’il
juge nécessaires pour examiner la plainte
dont il est saisi, de la même façon et dans la
même mesure qu’une cour supérieure d’archives;
b) de faire prêter serment;
(c) receive and accept any evidence and
other information, whether on oath, by
affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would
be admissible in a court of law;
c) de recevoir les éléments de preuve ou les
renseignements — fournis notamment par
déclaration verbale ou écrite sous serment — qu’il estime indiqués, indépendamment de leur admissibilité devant les
tribunaux;
(d) at any reasonable time, enter any
premises, other than a dwelling-house,
occupied by an organization on satisfying
any security requirements of the organization relating to the premises;
d) de visiter, à toute heure convenable, tout
local — autre qu’une maison d’habitation — occupé par l’organisation, à condition de satisfaire aux normes de sécurité
établies par elle pour ce local;
(e) converse in private with any person in
any premises entered under paragraph (d)
and otherwise carry out in those premises
any inquiries that the Commissioner sees
fit; and
e) de s’entretenir en privé avec toute
personne se trouvant dans le local visé à
l’alinéa d) et d’y mener les enquêtes qu’il
estime nécessaires;
(f) examine or obtain copies of or extracts
from records found in any premises entered
under paragraph (d) that contain any matter
relevant to the investigation.
f) d’examiner ou de se faire remettre des
copies ou des extraits des documents contenant des éléments utiles à l’examen de la
plainte et trouvés dans le local visé à
l’alinéa d).
Pouvoirs du
commissaire
14
C. 5
48-49 ELIZ. II
Dispute
resolution
mechanisms
(2) The Commissioner may attempt to
resolve complaints by means of dispute resolution mechanisms such as mediation and
conciliation.
(2) Il peut tenter de parvenir au règlement
de la plainte en ayant recours à un mode de
règlement des différends, notamment la médiation et la conciliation.
Mode de
règlement des
différends
Delegation
(3) The Commissioner may delegate any of
the powers set out in subsection (1) or (2).
(3) Il peut déléguer les pouvoirs que les
paragraphes (1) et (2) lui confèrent.
Délégation
Return of
records
(4) The Commissioner or the delegate shall
return to a person or an organization any
record or thing that they produced under this
section within ten days after they make a
request to the Commissioner or the delegate,
but nothing precludes the Commissioner or
the delegate from again requiring that the
record or thing be produced.
(4) Le commissaire ou son délégué renvoie
les documents ou pièces demandés en vertu du
présent article aux personnes ou organisations
qui les ont produits dans les dix jours suivant
la requête que celles-ci lui présentent à cette
fin, mais rien n’empêche le commissaire ou
son délégué d’en réclamer une nouvelle
production.
Renvoi des
documents
Certificate of
delegation
(5) Any person to whom powers set out in
subsection (1) are delegated shall be given a
certificate of the delegation and the delegate
shall produce the certificate, on request, to the
person in charge of any premises to be entered
under paragraph (1)(d).
(5) Chaque personne à qui les pouvoirs
visés au paragraphe (1) sont délégués reçoit un
certificat attestant sa qualité, qu’il présente,
sur demande, au responsable du local qui sera
visité en application de l’alinéa (1)d).
Certificat
Commissioner’s Report
Rapport du commissaire
13. (1) The Commissioner shall, within one
year after the day on which a complaint is filed
or is initiated by the Commissioner, prepare a
report that contains
13. (1) Dans l’année suivant, selon le cas, la
date du dépôt de la plainte ou celle où il en a
pris l’initiative, le commissaire dresse un
rapport où :
(a) the Commissioner’s findings and recommendations;
a) il présente ses conclusions et recommandations;
(b) any settlement that was reached by the
parties;
b) il fait état de tout règlement intervenu
entre les parties;
(c) if appropriate, a request that the organization give the Commissioner, within a
specified time, notice of any action taken or
proposed to be taken to implement the
recommendations contained in the report or
reasons why no such action has been or is
proposed to be taken; and
c) il demande, s’il y a lieu, à l’organisation
de lui donner avis, dans un délai déterminé,
soit des mesures prises ou envisagées pour
la mise en oeuvre de ses recommandations,
soit des motifs invoqués pour ne pas y
donner suite;
Contents
(d) the recourse, if any, that is available
under section 14.
Where no
report
(2) The Commissioner is not required to
prepare a report if the Commissioner is
satisfied that
Contenu
d) mentionne, s’il y a lieu, l’existence du
recours prévu à l’article 14.
(2) Il n’est toutefois pas tenu de dresser un
rapport s’il est convaincu que, selon le cas :
(a) the complainant ought first to exhaust
grievance or review procedures otherwise
reasonably available;
a) le plaignant devrait d’abord épuiser les
recours internes ou les procédures d’appel
ou de règlement des griefs qui lui sont
normalement ouverts;
(b) the complaint could more appropriately
be dealt with, initially or completely, by
b) la plainte pourrait avantageusement être
instruite, dans un premier temps ou à toutes
Aucun
rapport
1999-2000
means of a procedure provided for under the
laws of Canada, other than this Part, or the
laws of a province;
les étapes, selon des procédures prévues par
le droit fédéral — à l’exception de la présente partie — ou le droit provincial;
(c) the length of time that has elapsed
between the date when the subject-matter of
the complaint arose and the date when the
complaint was filed is such that a report
would not serve a useful purpose; or
c) le délai écoulé entre la date où l’objet de
la plainte a pris naissance et celle du dépôt
de celle-ci est tel que le rapport serait
inutile;
(d) the complaint is trivial, frivolous or
vexatious or is made in bad faith.
If a report is not to be prepared, the Commissioner shall inform the complainant and the
organization and give reasons.
Report to
parties
15
ch. 5
d) la plainte est futile, vexatoire ou entachée
de mauvaise foi.
Le cas échéant, il en informe le plaignant et
l’organisation, motifs à l’appui.
Transmission
aux parties
(3) The report shall be sent to the complainant and the organization without delay.
(3) Le rapport est transmis sans délai au
plaignant et à l’organisation.
Hearing by Court
Audience de la Cour
Application
14. (1) A complainant may, after receiving
the Commissioner’s report, apply to the Court
for a hearing in respect of any matter in respect
of which the complaint was made, or that is
referred to in the Commissioner’s report, and
that is referred to in clause 4.1.3, 4.2, 4.3.3,
4.4, 4.6, 4.7 or 4.8 of Schedule 1, in clause 4.3,
4.5 or 4.9 of that Schedule as modified or
clarified by Division 1, in subsection 5(3) or
8(6) or (7) or in section 10.
14. (1) Après avoir reçu le rapport du
commissaire, le plaignant peut demander que
la Cour entende toute question qui a fait
l’objet de la plainte — ou qui est mentionnée
dans le rapport — et qui est visée aux articles
4.1.3, 4.2, 4.3.3, 4.4, 4.6, 4.7 ou 4.8 de
l’annexe 1, aux articles 4.3, 4.5 ou 4.9 de cette
annexe tels que modifiés ou clarifiés par la
section 1, aux paragraphes 5(3) ou 8(6) ou (7)
ou à l’article 10.
Demande
Time of
application
(2) The application must be made within
forty-five days after the report is sent or within
any further time that the Court may, either
before or after the expiry of those forty-five
days, allow.
(2) La demande est faite dans les quarantecinq jours suivant la transmission du rapport
ou dans le délai supérieur que la Cour autorise
avant ou après l’expiration des quarante-cinq
jours.
Délai
For greater
certainty
(3) For greater certainty, subsections (1)
and (2) apply in the same manner to complaints referred to in subsection 11(2) as to
complaints referred to in subsection 11(1).
(3) Il est entendu que les paragraphes (1) et
(2) s’appliquent de la même façon aux plaintes
visées au paragraphe 11(2) qu’à celles visées
au paragraphe 11(1).
Précision
Commissioner
may apply or
appear
15. The Commissioner may, in respect of a
complaint that the Commissioner did not
initiate,
15. S’agissant d’une plainte dont il n’a pas
pris l’initiative, le commissaire a qualité
pour :
Exercice du
recours par le
commissaire
(a) apply to the Court, within the time
limited by section 14, for a hearing in
respect of any matter described in that
section, if the Commissioner has the consent of the complainant;
a) demander lui-même, dans le délai prévu
à l’article 14, l’audition de toute question
visée à cet article, avec le consentement du
plaignant;
(b) appear before the Court on behalf of any
complainant who has applied for a hearing
under section 14; or
b) comparaître devant la Cour au nom du
plaignant qui a demandé l’audition de la
question;
16
C. 5
48-49 ELIZ. II
(c) with leave of the Court, appear as a party
to any hearing applied for under section 14.
c) comparaître, avec l’autorisation de la
Cour, comme partie à la procédure.
16. The Court may, in addition to any other
remedies it may give,
16. La Cour peut, en sus de toute autre
réparation qu’elle accorde :
(a) order an organization to correct its
practices in order to comply with sections 5
to 10;
a) ordonner à l’organisation de revoir ses
pratiques de façon à se conformer aux
articles 5 à 10;
(b) order an organization to publish a notice
of any action taken or proposed to be taken
to correct its practices, whether or not
ordered to correct them under paragraph
(a); and
b) lui ordonner de publier un avis énonçant
les mesures prises ou envisagées pour
corriger ses pratiques, que ces dernières
aient ou non fait l’objet d’une ordonnance
visée à l’alinéa a);
(c) award damages to the complainant,
including damages for any humiliation that
the complainant has suffered.
c) accorder au plaignant des dommagesintérêts, notamment en réparation de l’humiliation subie.
Summary
hearings
17. (1) An application made under section
14 or 15 shall be heard and determined without
delay and in a summary way unless the Court
considers it inappropriate to do so.
17. (1) Le recours prévu aux articles 14 ou
15 est entendu et jugé sans délai et selon une
procédure sommaire, à moins que la Cour ne
l’estime contre-indiqué.
Procédure
sommaire
Precautions
(2) In any proceedings arising from an
application made under section 14 or 15, the
Court shall take every reasonable precaution,
including, when appropriate, receiving representations ex parte and conducting hearings in
camera, to avoid the disclosure by the Court or
any person of any information or other
material that the organization would be authorized to refuse to disclose if it were requested
under clause 4.9 of Schedule 1.
(2) À l’occasion des procédures relatives au
recours prévu aux articles 14 ou 15, la Cour
prend toutes les précautions possibles, notamment, si c’est indiqué, par la tenue d’audiences à huis clos et l’audition d’arguments en
l’absence d’une partie, pour éviter que ne
soient divulgués, de par son propre fait ou
celui de quiconque, des renseignements qui
justifient un refus de communication de
renseignements personnels demandés en vertu
de l’article 4.9 de l’annexe 1.
Précautions à
prendre
DIVISION 3
SECTION 3
AUDITS
VÉRIFICATIONS
18. (1) The Commissioner may, on reasonable notice and at any reasonable time, audit
the personal information management practices of an organization if the Commissioner
has reasonable grounds to believe that the
organization is contravening a provision of
Division 1 or is not following a recommendation set out in Schedule 1, and for that purpose
may
18. (1) Le commissaire peut, sur préavis
suffisant et à toute heure convenable, procéder
à la vérification des pratiques de l’organisation en matière de gestion des renseignements
personnels s’il a des motifs raisonnables de
croire que celle-ci a contrevenu à l’une des
dispositions de la section 1 ou n’a pas mis en
oeuvre une recommandation énoncée dans
l’annexe 1; il a, à cette fin, le pouvoir :
(a) summon and enforce the appearance of
persons before the Commissioner and compel them to give oral or written evidence on
oath and to produce any records and things
that the Commissioner considers necessary
for the audit, in the same manner and to the
same extent as a superior court of record;
a) d’assigner et de contraindre des témoins
à comparaître devant lui, à déposer verbalement ou par écrit sous la foi du serment et
à produire les documents ou pièces qu’il
juge nécessaires pour procéder à la vérification, de la même façon et dans la même
mesure qu’une cour supérieure d’archives;
Remedies
To ensure
compliance
Réparations
Contrôle
d’application
1999-2000
(b) administer oaths;
b) de faire prêter serment;
(c) receive and accept any evidence and
other information, whether on oath, by
affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would
be admissible in a court of law;
c) de recevoir les éléments de preuve ou les
renseignements — fournis notamment par
déclaration verbale ou écrite sous serment — qu’il estime indiqués, indépendamment de leur admissibilité devant les
tribunaux;
(d) at any reasonable time, enter any
premises, other than a dwelling-house,
occupied by the organization on satisfying
any security requirements of the organization relating to the premises;
17
ch. 5
d) de visiter, à toute heure convenable, tout
local — autre qu’une maison d’habitation — occupé par l’organisation, à condition de satisfaire aux normes de sécurité
établies par elle pour ce local;
(e) converse in private with any person in
any premises entered under paragraph (d)
and otherwise carry out in those premises
any inquiries that the Commissioner sees
fit; and
e) de s’entretenir en privé avec toute
personne se trouvant dans le local visé à
l’alinéa d) et d’y mener les enquêtes qu’il
estime nécessaires;
(f) examine or obtain copies of or extracts
from records found in any premises entered
under paragraph (d) that contain any matter
relevant to the audit.
f) d’examiner ou de se faire remettre des
copies ou des extraits des documents contenant des éléments utiles à la vérification et
trouvés dans le local visé à l’alinéa d).
Delegation
(2) The Commissioner may delegate any of
the powers set out in subsection (1).
(2) Il peut déléguer les pouvoirs que le
paragraphe (1) lui confère.
Délégation
Return of
records
(3) The Commissioner or the delegate shall
return to a person or an organization any
record or thing they produced under this
section within ten days after they make a
request to the Commissioner or the delegate,
but nothing precludes the Commissioner or
the delegate from again requiring that the
record or thing be produced.
(3) Le commissaire ou son délégué renvoie
les documents ou pièces demandés en vertu du
présent article aux personnes ou organisations
qui les ont produits dans les dix jours suivant
la requête que celles-ci lui présentent à cette
fin, mais rien n’empêche le commissaire ou
son délégué d’en réclamer une nouvelle
production.
Renvoi des
documents
Certificate of
delegation
(4) Any person to whom powers set out in
subsection (1) are delegated shall be given a
certificate of the delegation and the delegate
shall produce the certificate, on request, to the
person in charge of any premises to be entered
under paragraph (1)(d).
(4) Chaque personne à qui les pouvoirs
visés au paragraphe (1) sont délégués reçoit un
certificat attestant sa qualité, qu’il présente,
sur demande, au responsable du local qui sera
visité en application de l’alinéa (1)d).
Certificat
Report of
findings and
recommendations
19. (1) After an audit, the Commissioner
shall provide the audited organization with a
report that contains the findings of the audit
and any recommendations that the Commissioner considers appropriate.
19. (1) À l’issue de la vérification, le
commissaire adresse à l’organisation en cause
un rapport où il présente ses conclusions ainsi
que les recommandations qu’il juge indiquées.
Rapport des
conclusions
et
recommandations du
commissaire
Reports may
be included in
annual reports
(2) The report may be included in a report
made under section 25.
(2) Ce rapport peut être incorporé dans le
rapport visé à l’article 25.
Incorporation
du rapport
18
C. 5
48-49 ELIZ. II
DIVISION 4
SECTION 4
GENERAL
DISPOSITIONS GÉNÉRALES
Confidentiality
20. (1) Subject to subsections (2) to (5),
13(3) and 19(1), the Commissioner or any
person acting on behalf or under the direction
of the Commissioner shall not disclose any
information that comes to their knowledge as
a result of the performance or exercise of any
of the Commissioner’s duties or powers under
this Part.
20. (1) Sous réserve des paragraphes (2) à
(5), 13(3) et 19(1), le commissaire et les
personnes agissant en son nom ou sous son
autorité sont tenus au secret en ce qui concerne
les renseignements dont ils prennent connaissance par suite de l’exercice des attributions
que la présente partie confère au commissaire.
Secret
Public interest
(2) The Commissioner may make public
any information relating to the personal
information management practices of an organization if the Commissioner considers that it
is in the public interest to do so.
(2) Le commissaire peut rendre publique
toute information relative aux pratiques d’une
organisation en matière de gestion des renseignements personnels, s’il estime que cela est
dans l’intérêt public.
Intérêt public
Disclosure of
necessary
information
(3) The Commissioner may disclose, or
may authorize any person acting on behalf or
under the direction of the Commissioner to
disclose, information that in the Commissioner’s opinion is necessary to
(3) Il peut communiquer — ou autoriser les
personnes agissant en son nom ou sous son
autorité à communiquer — les renseignements qui, à son avis, sont nécessaires pour :
Communication de
renseignements
nécessaires
(a) conduct an investigation or audit under
this Part; or
(b) establish the grounds for findings and
recommendations contained in any report
under this Part.
Disclosure in
the course of
proceedings
(4) The Commissioner may disclose, or
may authorize any person acting on behalf or
under the direction of the Commissioner to
disclose, information in the course of
(a) a prosecution for an offence under
section 28;
(b) a prosecution for an offence under
section 132 of the Criminal Code (perjury)
in respect of a statement made under this
Part;
a) examiner une plainte ou procéder à une
vérification en vertu de la présente partie;
b) motiver les conclusions et recommandations contenues dans les rapports prévus par
la présente partie.
(4) Il peut également communiquer — ou
autoriser les personnes agissant en son nom ou
sous son autorité à communiquer — des renseignements soit dans le cadre des procédures
intentées pour l’infraction visée à l’article 28
ou pour l’infraction visée à l’article 132 du
Code criminel (parjure) se rapportant à une
déclaration faite en vertu de la présente partie,
soit lors d’une audience de la Cour prévue par
cette partie ou lors de l’appel de la décision
rendue par celle-ci.
Communication dans le
cadre de
certaines
procédures
(5) Dans les cas où, à son avis, il existe des
éléments de preuve touchant la perpétration
d’infractions au droit fédéral ou provincial par
un cadre ou employé d’une organisation, le
commissaire peut faire part au procureur
général du Canada ou d’une province, selon le
cas, des renseignements qu’il détient à cet
égard.
Dénonciation
autorisée
(c) a hearing before the Court under this
Part; or
(d) an appeal from a decision of the Court.
Disclosure of
offence
authorized
(5) The Commissioner may disclose to the
Attorney General of Canada or of a province,
as the case may be, information relating to the
commission of an offence against any law of
Canada or a province on the part of an officer
or employee of an organization if, in the
Commissioner’s opinion, there is evidence of
an offence.
1999-2000
Not
competent
witness
21. The Commissioner or person acting on
behalf or under the direction of the Commissioner is not a competent witness in respect of
any matter that comes to their knowledge as a
result of the performance or exercise of any of
the Commissioner’s duties or powers under
this Part in any proceeding other than
(a) a prosecution for an offence under
section 28;
(b) a prosecution for an offence under
section 132 of the Criminal Code (perjury)
in respect of a statement made under this
Part;
ch. 5
19
21. En ce qui concerne les questions venues
à leur connaissance par suite de l’exercice des
attributions que la présente partie confère au
commissaire, le commissaire et les personnes
agissant en son nom ou sous son autorité n’ont
qualité pour témoigner que dans le cadre des
procédures intentées pour l’infraction visée à
l’article 28 ou pour l’infraction visée à
l’article 132 du Code criminel (parjure) se
rapportant à une déclaration faite en vertu de
la présente partie, lors d’une audience de la
Cour prévue par cette partie ou lors de l’appel
de la décision rendue par celle-ci.
Qualité pour
témoigner
(c) a hearing before the Court under this
Part; or
(d) an appeal from a decision of the Court.
Protection of
Commissioner
22. (1) No criminal or civil proceedings lie
against the Commissioner, or against any
person acting on behalf or under the direction
of the Commissioner, for anything done,
reported or said in good faith as a result of the
performance or exercise or purported performance or exercise of any duty or power of the
Commissioner under this Part.
22. (1) Le commissaire et les personnes
agissant en son nom ou sous son autorité
bénéficient de l’immunité en matière civile ou
pénale pour les actes accomplis, les rapports
établis et les paroles prononcées de bonne foi
par suite de l’exercice effectif ou censé tel des
attributions que la présente partie confère au
commissaire.
Immunité du
commissaire
Libel or
slander
(2) For the purposes of any law relating to
libel or slander,
(2) Ne peuvent donner lieu à poursuites
pour diffamation verbale ou écrite :
Diffamation
(a) anything said, any information supplied
or any record or thing produced in good
faith in the course of an investigation or
audit carried out by or on behalf of the
Commissioner under this Part is privileged;
and
a) les paroles prononcées, les renseignements fournis ou les documents ou pièces
produits de bonne foi au cours d’une
vérification ou de l’examen d’une plainte
effectué par le commissaire ou en son nom
dans le cadre de la présente partie;
(b) any report made in good faith by the
Commissioner under this Part and any fair
and accurate account of the report made in
good faith for the purpose of news reporting
is privileged.
b) les rapports établis de bonne foi par le
commissaire dans le cadre de la présente
partie, ainsi que les relations qui en sont
faites de bonne foi pour des comptes rendus
d’événements d’actualités.
23. (1) If the Commissioner considers it
appropriate to do so, or on the request of an
interested person, the Commissioner may, in
order to ensure that personal information is
protected in as consistent a manner as possible, consult with any person who, under
provincial legislation that is substantially
similar to this Part, has powers and duties
similar to those of the Commissioner.
23. (1) S’il l’estime indiqué ou si tout
intéressé le lui demande, le commissaire peut,
pour veiller à ce que les renseignements
personnels soient protégés de la façon la plus
uniforme possible, consulter toute personne
ayant, au titre d’une loi provinciale essentiellement similaire à la présente partie, des
attributions semblables à celles du commissaire.
Consultations with
provinces
Consultation
avec les
provinces
20
Agreements
C. 5
(2) The Commissioner may enter into
agreements with any person with whom the
Commissioner may consult under subsection
(1)
(a) to coordinate the activities of their
offices and the office of the Commissioner,
including to provide for mechanisms for the
handling of any complaint in which they are
mutually interested;
(b) to undertake and publish research related to the protection of personal information; and
(c) to develop model contracts for the
protection of personal information that is
collected, used or disclosed interprovincially or internationally.
Promoting the
purposes of
the Part
48-49 ELIZ. II
(2) Il peut conclure des accords avec toute
telle personne en vue :
a) de coordonner l’activité de leurs bureaux
respectifs, notamment de prévoir des mécanismes pour instruire les plaintes dans
lesquelles ils ont un intérêt mutuel;
b) de faire des recherches liées à la protection des renseignements personnels et d’en
publier les résultats;
c) d’élaborer des contrats types portant sur
la protection des renseignements personnels recueillis, utilisés ou communiqués
d’une province à l’autre ou d’un pays à
l’autre.
24. The Commissioner shall
(a) develop and conduct information programs to foster public understanding, and
recognition of the purposes, of this Part;
24. Le commissaire :
15
a) offre au grand public des programmes
d’information destinés à lui faire mieux
comprendre la présente partie et son objet;
(b) undertake and publish research that is
related to the protection of personal information, including any such research that
is requested by the Minister of Industry;
b) fait des recherches liées à la protection
des renseignements personnels — et en
publie les résultats —, notamment toutes
telles recherches que le ministre de l’Industrie demande;
(c) encourage organizations to develop
detailed policies and practices, including
organizational codes of practice, to comply
with sections 5 to 10; and
(d) promote, by any means that the Commissioner considers appropriate, the purposes of this Part.
Accords
Promotion de
l’objet de la
partie
c) encourage les organisations à élaborer
des politiques détaillées — notamment des
codes de pratiques — en vue de se conformer aux articles 5 à 10;
d) prend toute autre mesure indiquée pour la
promotion de l’objet de la présente partie.
Annual report
25. (1) The Commissioner shall, as soon as
practicable after the end of each calendar year,
submit to Parliament a report concerning the
application of this Part, the extent to which the
provinces have enacted legislation that is
substantially similar to this Part and the
application of any such legislation.
25. (1) Dans les meilleurs délais après la fin
de l’année civile, le commissaire dépose
devant le Parlement son rapport sur l’application de la présente partie, sur la mesure dans
laquelle les provinces ont édicté des lois
essentiellement similaires à celle-ci et sur
l’application de ces lois.
Rapport
annuel
Consultation
(2) Before preparing the report, the Commissioner shall consult with those persons in
the provinces who, in the Commissioner’s
opinion, are in a position to assist the Commissioner in reporting respecting personal information that is collected, used or disclosed
interprovincially or internationally.
(2) Avant de rédiger son rapport, le commissaire consulte les personnes dans les provinces
qui, à son avis, sont en mesure de l’aider à faire
un rapport concernant les renseignements
personnels recueillis, utilisés ou communiqués d’une province à l’autre ou d’un pays à
l’autre.
Consultation
Regulations
26. (1) The Governor in Council may make
regulations
26. (1) Le gouverneur en conseil peut, par
règlement :
Règlements
1999-2000
(a) specifying, by name or by class, what is
a government institution or part of a
government institution for the purposes of
any provision of this Part;
(a.01) specifying, by name or by class, what
is an investigative body for the purposes of
paragraph 7(3)(d) or (h.2);
(a.1) specifying information or classes of
information for the purpose of paragraph
7(1)(d), (2)(c.1) or (3)(h.1); and
(b) for carrying out the purposes and
provisions of this Part.
Orders
a) préciser, pour l’application de toute
disposition de la présente partie, les institutions gouvernementales et les subdivisions
d’institutions gouvernementales, à titre particulier ou par catégorie;
a.01) préciser, pour l’application des alinéas 7(3)d) ou h.2), les organismes d’enquête, à titre particulier ou par catégorie;
a.1) préciser tout renseignement ou toute
catégorie de renseignements pour l’application des alinéas 7(1)d), (2)c.1) ou (3)h.1);
b) prendre toute mesure d’application de la
présente partie.
(2) The Governor in Council may, by order,
(2) Il peut par décret :
(a) provide that this Part is binding on any
agent of Her Majesty in right of Canada to
which the Privacy Act does not apply; and
a) prévoir que la présente partie lie tout
mandataire de Sa Majesté du chef du
Canada qui n’est pas assujetti à la Loi sur la
protection des renseignements personnels;
(b) if satisfied that legislation of a province
that is substantially similar to this Part
applies to an organization, a class of
organizations, an activity or a class of
activities, exempt the organization, activity
or class from the application of this Part in
respect of the collection, use or disclosure
of personal information that occurs within
that province.
21
ch. 5
Décret
b) s’il est convaincu qu’une loi provinciale
essentiellement similaire à la présente partie s’applique à une organisation — ou
catégorie d’organisations — ou à une activité — ou catégorie d’activités —, exclure
l’organisation, l’activité ou la catégorie de
l’application de la présente partie à l’égard
de la collecte, de l’utilisation ou de la
communication de renseignements personnels qui s’effectue à l’intérieur de la
province en cause.
Whistleblowing
27. (1) Any person who has reasonable
grounds to believe that a person has contravened or intends to contravene a provision of
Division 1, may notify the Commissioner of
the particulars of the matter and may request
that their identity be kept confidential with
respect to the notification.
27. (1) Toute personne qui a des motifs
raisonnables de croire qu’une autre personne
a contrevenu à l’une des dispositions de la
section 1, ou a l’intention d’y contrevenir,
peut notifier au commissaire des détails sur la
question et exiger l’anonymat relativement à
cette dénonciation.
Dénonciation
Confidentiality
(2) The Commissioner shall keep confidential the identity of a person who has notified
the Commissioner under subsection (1) and to
whom an assurance of confidentiality has
been provided by the Commissioner.
(2) Le commissaire est tenu de garder
confidentielle l’identité du dénonciateur auquel il donne l’assurance de l’anonymat.
Caractère
confidentiel
Prohibition
27.1 (1) No employer shall dismiss, suspend, demote, discipline, harass or otherwise
disadvantage an employee, or deny an employee a benefit of employment, by reason
that
27.1 (1) Il est interdit à l’employeur de
congédier un employé, de le suspendre, de le
rétrograder, de le punir, de le harceler ou de lui
faire subir tout autre inconvénient, ou de le
priver d’un avantage lié à son emploi parce
que :
Interdiction
22
C. 5
48-49 ELIZ. II
(a) the employee, acting in good faith and
on the basis of reasonable belief, has
disclosed to the Commissioner that the
employer or any other person has contravened or intends to contravene a provision
of Division 1;
a) l’employé, agissant de bonne foi et se
fondant sur des motifs raisonnables, a
informé le commissaire que l’employeur ou
une autre personne a contrevenu à l’une des
dispositions de la section 1, ou a l’intention
d’y contrevenir;
(b) the employee, acting in good faith and
on the basis of reasonable belief, has
refused or stated an intention of refusing to
do anything that is a contravention of a
provision of Division 1;
b) l’employé, agissant de bonne foi et se
refusé ou a fait part de son intention de
refuser d’accomplir un acte qui constitue
une contravention à l’une des dispositions
de la section 1;
(c) the employee, acting in good faith and
on the basis of reasonable belief, has done
or stated an intention of doing anything that
is required to be done in order that a
provision of Division 1 not be contravened;
or
(d) the employer believes that the employee
will do anything referred to in paragraph
(a), (b) or (c).
c) l’employé, agissant de bonne foi et se
accompli ou a fait part de son intention
d’accomplir un acte nécessaire pour empêcher la contravention à l’une des dispositions de la section 1;
d) l’employeur croit que l’employé accomplira un des actes prévus aux alinéas a), b)
ou c).
Saving
(2) Nothing in this section impairs any right
of an employee either at law or under an
employment contract or collective agreement.
(2) Le présent article n’a pas pour effet de
restreindre les droits d’un employé, que ce soit
en général ou dans le cadre d’un contrat de
travail ou d’une convention collective.
Précision
Definitions
(3) In this section, ‘‘employee’’ includes an
independent contractor and ‘‘employer’’ has a
corresponding meaning.
(3) Dans le présent article, « employé »
s’entend notamment d’un travailleur autonome et « employeur » a un sens correspondant.
Définitions
Offence and
punishment
28. Every person who knowingly contravenes subsection 8(8) or 27.1(1) or who
obstructs the Commissioner or the Commissioner’s delegate in the investigation of a
complaint or in conducting an audit is guilty
of
28. Quiconque contrevient sciemment aux
paragraphes 8(8) ou 27.1(1) ou entrave l’action du commissaire — ou de son délégué — dans le cadre d’une vérification ou de
l’examen d’une plainte commet une infraction
et encourt, sur déclaration de culpabilité :
Infraction et
peine
(a) an offence punishable on summary
conviction and liable to a fine not exceeding
$10,000; or
a) par procédure sommaire, une amende
maximale de 10 000 $;
(b) an indictable offence and liable to a fine
not exceeding $100,000.
Review of
Part by
parliamentary
committee
29. (1) The administration of this Part shall,
every five years after this Part comes into
force, be reviewed by the committee of the
House of Commons, or of both Houses of
Parliament, that may be designated or established by Parliament for that purpose.
b) par mise en accusation, une amende
maximale de 100 000 $.
29. (1) Le Parlement désigne ou constitue
un comité, soit de la Chambre des communes,
soit mixte, chargé spécialement de l’examen,
tous les cinq ans suivant l’entrée en vigueur de
la présente partie, de l’application de celle-ci.
Examen par
un comité
parlementaire
1999-2000
Review and
report
23
ch. 5
Rapport
(2) The committee shall undertake a review
of the provisions and operation of this Part and
shall, within a year after the review is
undertaken or within any further period that
the House of Commons may authorize, submit
a report to Parliament that includes a statement of any changes to this Part or its
administration that the committee recommends.
(2) Le comité examine les dispositions de la
présente partie ainsi que les conséquences de
son application en vue de la présentation, dans
un délai d’un an à compter du début de
l’examen ou tout délai supérieur autorisé par
la Chambre des communes, d’un rapport au
Parlement où seront consignées ses conclusions ainsi que ses recommandations, s’il y a
lieu, quant aux modifications de la présente
partie ou de ses modalités d’application qui
seraient souhaitables.
DIVISION 5
SECTION 5
TRANSITIONAL PROVISIONS
DISPOSITIONS TRANSITOIRES
Application
30. (1) This Part does not apply to any
organization in respect of personal information that it collects, uses or discloses within a
province whose legislature has the power to
regulate the collection, use or disclosure of the
information, unless the organization does it in
connection with the operation of a federal
work, undertaking or business or the organization discloses the information outside the
province for consideration.
30. (1) La présente partie ne s’applique pas
à une organisation à l’égard des renseignements personnels qu’elle recueille, utilise ou
communique dans une province dont la législature a le pouvoir de régir la collecte,
l’utilisation ou la communication de tels
renseignements, sauf si elle le fait dans le
cadre d’une entreprise fédérale ou qu’elle
communique ces renseignements pour contrepartie à l’extérieur de cette province.
Application
Application
(1.1) This Part does not apply to any
organization in respect of personal health
information that it collects, uses or discloses.
(1.1) La présente partie ne s’applique pas à
une organisation à l’égard des renseignements
personnels sur la santé qu’elle recueille,
utilise ou communique.
Application
Expiry date
(2) Subsection (1) ceases to have effect
three years after the day on which this section
comes into force.
(2) Le paragraphe (1) cesse d’avoir effet
trois ans après l’entrée en vigueur du présent
article.
Cessation
d’effet
Expiry date
(2.1) Subsection (1.1) ceases to have effect
one year after the day on which this section
comes into force.
(2.1) Le paragraphe (1.1) cesse d’avoir effet
un an après l’entrée en vigueur du présent
article.
Cessation
d’effet
PART 2
PARTIE 2
ELECTRONIC DOCUMENTS
DOCUMENTS ÉLECTRONIQUES
Interpretation
Définitions
Definitions
31. (1) The definitions in this subsection
apply in this Part.
31. (1) Les définitions qui suivent s’appliquent à la présente partie.
Définitions
‘‘data’’
« données »
‘‘data’’ means representations of information
or concepts, in any form.
‘‘electronic
document’’
« document
électronique »
‘‘electronic document’’ means data that is recorded or stored on any medium in or by a
computer system or other similar device
and that can be read or perceived by a person or a computer system or other similar
« autorité responsable » S’agissant d’une disposition d’un texte législatif, s’entend de ce
qui suit :
a) si le texte législatif est une loi fédérale,
le ministre responsable de la disposition;
« autorité
responsable »
‘‘responsible
authority’’
24
C. 5
device. It includes a display, printout or other output of that data.
‘‘electronic
signature’’
« signature
électronique »
‘‘electronic signature’’ means a signature that
consists of one or more letters, characters,
numbers or other symbols in digital form incorporated in, attached to or associated with
an electronic document.
‘‘federal law’’
« texte
législatif »
‘‘federal law’’ means an Act of Parliament or
an instrument, regardless of its name, issued, made or established under an Act of
Parliament or a prerogative of the Crown,
other than an instrument issued, made or established under the Yukon Act, the Northwest Territories Act or the Nunavut Act.
‘‘responsible
authority’’
« autorité
responsable »
‘‘responsible authority’’, in respect of a provision of a federal law, means
(a) if the federal law is an Act of
Parliament, the minister responsible for
that provision;
(b) if the federal law is an instrument
issued, made or established under an Act
of Parliament or a prerogative of the
Crown, the person or body who issued,
made or established the instrument; or
(c) despite paragraph (a) or (b), the
person or body designated by the Governor in Council under subsection (2).
‘‘secure
electronic
signature’’
« signature
électronique
sécurisée »
‘‘secure electronic signature’’ means an electronic signature that results from the application of a technology or process prescribed by regulations made under subsection 48(1).
Designation
(2) The Governor in Council may, by order,
for the purposes of this Part, designate any
person, including any member of the Queen’s
Privy Council for Canada, or body to be the
responsible authority in respect of a provision
of a federal law if the Governor in Council is
of the opinion that it is appropriate to do so in
the circumstances.
48-49 ELIZ. II
b) si le texte législatif est un texte pris
sous le régime d’une loi fédérale ou en
vertu d’une prérogative royale, la personne ou l’organisme qui l’a pris;
c) malgré les alinéas a) et b), toute
personne ou tout organisme désigné par
le gouverneur en conseil en vertu du
paragraphe (2).
« document électronique » Ensemble de données enregistrées ou mises en mémoire sur
quelque support que ce soit par un système
informatique ou un dispositif semblable et
qui peuvent être lues ou perçues par une
personne ou par un tel système ou dispositif.
Sont également visés tout affichage et toute
sortie imprimée ou autre de ces données.
« document
électronique »
‘‘electronic
document’’
« données » Toute forme de représentation
d’informations ou de notions.
« données »
‘‘data’’
« signature électronique » Signature constituée d’une ou de plusieurs lettres, ou d’un
ou de plusieurs caractères, nombres ou autres symboles sous forme numérique incorporée, jointe ou associée à un document
électronique.
« signature
électronique »
‘‘electronic
signature’’
« signature électronique sécurisée » Signature électronique qui résulte de l’application
de toute technologie ou de tout procédé prévu par règlement pris en vertu du paragraphe 48(1).
« signature
électronique
sécurisée »
‘‘secure
electronic
signature’’
« texte législatif » Loi fédérale ou tout texte,
quelle que soit son appellation, pris sous le
régime d’une loi fédérale ou en vertu d’une
prérogative royale, à l’exception d’un texte
pris sous le régime de la Loi sur le Yukon,
de la Loi sur les Territoires du Nord-Ouest
ou de la Loi sur le Nunavut.
« texte
législatif »
‘‘federal
law’’
(2) Le gouverneur en conseil peut par
décret, pour l’application de la présente
partie, désigner toute personne, notamment un
membre du Conseil privé de la Reine pour le
Canada, ou tout organisme comme autorité
responsable d’une disposition d’un texte législatif, s’il est d’avis que les circonstances le
justifient.
Désignation
1999-2000
25
ch. 5
Purpose
Objet
32. The purpose of this Part is to provide for
the use of electronic alternatives in the manner
provided for in this Part where federal laws
contemplate the use of paper to record or
communicate information or transactions.
32. La présente partie a pour objet de
prévoir l’utilisation de moyens électroniques,
de la manière prévue dans la présente partie,
dans les cas où les textes législatifs envisagent
l’utilisation d’un support papier pour enregistrer ou communiquer de l’information ou des
transactions.
Electronic Alternatives
Moyens électroniques
Collection,
storage, etc.
33. A minister of the Crown and any
department, branch, office, board, agency,
commission, corporation or body for the
administration of affairs of which a minister of
the Crown is accountable to the Parliament of
Canada may use electronic means to create,
collect, receive, store, transfer, distribute,
publish or otherwise deal with documents or
information whenever a federal law does not
specify the manner of doing so.
33. Tout ministre, ministère, direction,
bureau, conseil, commission, office, service,
personne morale ou autre organisme dont un
ministre est responsable devant le Parlement
peut faire usage d’un moyen électronique pour
créer, recueillir, recevoir, mettre en mémoire,
transférer, diffuser, publier ou traiter de quelque autre façon des documents ou de l’information, si aucun moyen particulier n’est prévu
à l’égard de ces actes par un texte législatif.
Collecte,
mise en
mémoire, etc.
Electronic
payment
34. A payment that is required to be made
to the Government of Canada may be made in
electronic form in any manner specified by the
Receiver General.
34. Tout paiement qui doit être remis au
gouvernement du Canada peut être fait sous
forme électronique, de la manière que le
receveur général précise.
Paiements
par voie
électronique
Electronic
version of
statutory form
35. (1) If a provision of an Act of Parliament
establishes a form, the responsible authority in
respect of that provision may make regulations respecting an electronic form that is
substantially the same as the form established
in the provision, and the electronic form may
be used for the same purposes as the form
established in the provision.
35. (1) L’autorité responsable, à l’égard de
toute disposition d’une loi fédérale dans
laquelle figure un formulaire, peut prendre des
règlements prévoyant une version électronique essentiellement semblable, qui peut être
utilisée aux mêmes fins que le formulaire
figurant dans la disposition.
Version
électronique
des
formulaires
d’origine
législative
Statutory
manner of
filing
documents
(2) If a non-electronic manner of filing a
document is set out in a provision of an Act of
Parliament, the responsible authority in respect of that provision may make regulations
respecting the filing of an electronic version of
the document, and an electronic version of the
document filed in accordance with those
regulations is to be considered as a document
filed in accordance with the provision.
(2) L’autorité responsable, à l’égard de
toute disposition d’une loi fédérale qui prévoit
un mode de dépôt non électronique d’un
document, peut prendre des règlements prévoyant le dépôt d’une version électronique du
document. La version électronique du document déposée conformément à ces règlements
est assimilée au document déposé conformément à la disposition.
Mode de
dépôt
électronique
d’origine
législative
Statutory
manner of
submitting
information
(3) If a non-electronic manner of submitting
information is set out in a provision of an Act
of Parliament, the responsible authority in
respect of that provision may make regulations respecting the manner of submitting the
information using electronic means, and information submitted in accordance with those
regulations is to be considered as information
submitted in accordance with the provision.
(3) L’autorité responsable, à l’égard de
toute disposition d’une loi fédérale qui prévoit
un mode de transmission non électronique de
l’information, peut prendre des règlements en
prévoyant un mode de transmission électronique. L’information transmise conformément à
ces règlements est assimilée à l’information
transmise conformément à la disposition.
Mode de
transmission
de
l’information
d’origine
législative
Purpose
Objet
26
C. 5
48-49 ELIZ. II
Authority to
prescribe
form, etc.
(4) The authority under a federal law to
issue, prescribe or in any other manner
establish a form, or to establish the manner of
filing a document or submitting information,
includes the authority to issue, prescribe or
establish an electronic form, or to establish an
electronic manner of filing the document or
submitting information, as the case may be.
(4) Le pouvoir conféré par un texte législatif de publier, de prescrire ou d’établir un
formulaire, ou d’établir un mode de dépôt
d’un document ou un mode de transmission de
l’information comprend le pouvoir de publier,
de prescrire ou d’établir une version électronique du formulaire, ou d’établir un mode de
dépôt électronique du document ou un mode
de transmission électronique de l’information, selon le cas.
Pouvoir de
prescrire des
formulaires
Meaning of
‘‘filing’’
(5) In this section, ‘‘filing’’ includes all
manner of submitting, regardless of how it is
designated.
(5) Au présent article, est assimilée au dépôt
toute forme de transmission, quelle que soit la
désignation de celle-ci.
Définition de
« dépôt »
Documents as
evidence or
proof
36. A provision of a federal law that
provides that a certificate or other document
signed by a minister or public officer is proof
of any matter or thing, or is admissible in
evidence, is, subject to the federal law,
satisfied by an electronic version of the
certificate or other document if the electronic
version is signed by the minister or public
officer with that person’s secure electronic
signature.
36. La disposition d’un texte législatif qui
prévoit qu’un certificat ou autre document
portant la signature d’un ministre ou d’un
fonctionnaire public fait foi de son contenu et
est admissible en preuve vise également, sous
réserve du texte législatif, la version électronique du certificat ou autre document si la
version électronique porte la signature électronique sécurisée du ministre ou du fonctionnaire public.
Preuve par
documents
Retention of
documents
37. A requirement under a provision of a
federal law to retain a document for a
specified period is satisfied, with respect to an
electronic document, by the retention of the
electronic document if
37. Dans le cas où une disposition d’un texte
législatif exige la conservation d’un document
pour une période déterminée, à l’égard d’un
document électronique, la conservation du
document électronique satisfait à l’obligation
si les conditions suivantes sont réunies :
Conservation
des
documents
(a) the electronic document is retained for
the specified period in the format in which
it was made, sent or received, or in a format
that does not change the information contained in the electronic document that was
originally made, sent or received;
(b) the information in the electronic document will be readable or perceivable by any
person who is entitled to have access to the
electronic document or who is authorized to
require the production of the electronic
document; and
(c) if the electronic document was sent or
received, any information that identifies the
origin and destination of the electronic
document and the date and time when it was
sent or received is also retained.
a) le document électronique est conservé
pour la période déterminée sous la forme
dans laquelle il a été fait, envoyé ou reçu, ou
sous une forme qui ne modifie en rien
l’information qu’il contient;
b) cette information sera lisible ou perceptible par quiconque a accès au document
électronique et est autorisé à exiger la
production de celui-ci;
c) si le document électronique est envoyé
ou reçu, l’information qui permet de déterminer son origine et sa destination, ainsi
que la date et l’heure d’envoi ou de
réception, doit être conservée.
1999-2000
Notarial act
38. A reference in a provision of a federal
law to a document recognized as a notarial act
in the province of Quebec is deemed to
include an electronic version of the document
if
(a) the electronic version of the document
is recognized as a notarial act under the laws
of the province of Quebec; and
(b) the federal law or the provision is listed
in Schedule 2 or 3.
27
ch. 5
38. La mention, dans une disposition d’un
texte législatif, d’un document reconnu dans
la province de Québec comme un acte notarié
vaut également mention de la version électronique du document si les conditions suivantes
sont réunies :
Actes
notariés
a) la version électronique du document est
reconnue par les lois de la province de
Québec comme un acte notarié;
b) la disposition ou le texte législatif est
inscrit sur la liste figurant à l’annexe 2 ou 3.
Seals
federal law for a person’s seal is satisfied by a
secure electronic signature that identifies the
secure electronic signature as the person’s seal
if the federal law or the provision is listed in
Schedule 2 or 3.
législatif exige l’apposition du sceau d’une
personne, la signature électronique sécurisée
qui s’identifie comme le sceau de cette
personne satisfait à l’obligation si la disposition ou le texte législatif est inscrit sur la liste
figurant à l’annexe 2 ou 3.
Sceaux
Requirements to
provide
documents or
information
40. A provision of a federal law requiring a
person to provide another person with a
document or information, other than a provision referred to in any of sections 41 to 47, is
satisfied by the provision of the document or
information in electronic form if
législatif — à l’exclusion d’une disposition
visée aux articles 41 à 47 — exige qu’une
personne fournisse à une autre un document
ou de l’information, la fourniture du document ou de l’information sous forme électronique satisfait à l’obligation si les conditions
suivantes sont réunies :
Obligation de
fournir des
documents
ou de
l’information
(a) the federal law or the provision is listed
in Schedule 2 or 3;
(b) both persons have agreed to the document or information being provided in
electronic form; and
(c) the document or information in electronic form will be under the control of the
person to whom it is provided and will be
readable or perceivable so as to be usable
for subsequent reference.
Writing
requirements
federal law for a document to be in writing is
satisfied by an electronic document if
in Schedule 2 or 3; and
(b) the regulations respecting the application of this section to the provision have
been complied with.
a) la disposition ou le texte législatif est
inscrit sur la liste figurant à l’annexe 2 ou 3;
b) les intéressés ont convenu de la fourniture du document ou de l’information sous
forme électronique;
c) le document ou l’information sous forme
électronique sera mis à la disposition exclusive de la personne à qui le document ou
l’information est fourni et sera lisible ou
perceptible de façon à pouvoir servir à la
consultation ultérieure.
législatif exige qu’un document soit fait par
écrit, un document électronique satisfait à
l’obligation si les conditions suivantes sont
réunies :
b) les règlements visant l’application du
présent article à la disposition ont été
observés.
Documents
sous forme
écrite
28
Original
documents
C. 5
federal law for a document to be in its original
form is satisfied by an electronic document if
in Schedule 2 or 3;
(b) the electronic document contains a
secure electronic signature that was added
when the electronic document was first
generated in its final form and that can be
used to verify that the electronic document
has not been changed since that time; and
(c) the regulations respecting the application of this section to the provision have
been complied with.
Signatures
43. Subject to sections 44 to 46, a requirement under a provision of a federal law for a
signature is satisfied by an electronic signature if
been complied with.
Statements
made under
oath
44. A statement required to be made under
oath or solemn affirmation under a provision
of a federal law may be made in electronic
form if
(a) the person who makes the statement
signs it with that person’s secure electronic
signature;
(b) the person before whom the statement
was made, and who is authorized to take
statements under oath or solemn affirmation, signs it with that person’s secure
electronic signature;
48-49 ELIZ. II
législatif exige l’original d’un document, un
Documents
originaux
b) le document électronique comporte une
signature électronique sécurisée, ajoutée
lors de la production originale du document
électronique dans sa forme définitive, pouvant être utilisée pour établir que le document électronique n’a pas été modifié
depuis;
c) les règlements visant l’application du
observés.
43. Sous réserve des articles 44 à 46, dans
le cas où une disposition d’un texte législatif
exige une signature, la signature électronique
satisfait à l’obligation si les conditions suivantes sont réunies :
Signatures
observés.
législatif exige une déclaration sous serment
ou une affirmation solennelle, celle-ci peut
être faite sous forme électronique si les
conditions suivantes sont réunies :
a) l’auteur appose à la déclaration ou à
l’affirmation sa signature électronique sécurisée;
b) le commissaire aux serments devant qui
a été faite la déclaration ou l’affirmation
appose à celle-ci sa signature électronique
sécurisée;
(c) the federal law or the provision is listed
c) la disposition ou le texte législatif est
(d) the regulations respecting the application of this section to the provision have
been complied with.
d) les règlements visant l’application du
observés.
Déclarations
sous serment
1999-2000
Statements
declaring
truth, etc.
Witnessed
signatures
Copies
45. A statement required to be made under
a provision of a federal law declaring or
certifying that any information given by a
person making the statement is true, accurate
or complete may be made in electronic form
if
législatif exige une déclaration attestant la
véracité, l’exactitude ou l’intégralité d’une
information fournie par le déclarant, la déclaration peut être faite sous forme électronique
(a) the person signs it with that person’s
secure electronic signature;
a) le déclarant y appose sa signature
électronique sécurisée;
been complied with.
observés.
federal law for a signature to be witnessed is
satisfied with respect to an electronic document if
législatif exige la signature d’un témoin, un
(a) each signatory and each witness signs
the electronic document with their secure
electronic signature;
a) chacun des signataires et témoins appose
au document électronique sa signature
électronique sécurisée;
been complied with.
observés.
federal law for one or more copies of a
document to be submitted is satisfied by the
submission of an electronic document if
législatif exige la transmission d’un ou de
plusieurs exemplaires d’un document, la
transmission d’un document électronique satisfait à l’obligation si les conditions suivantes
sont réunies :
been complied with.
Regulations
ch. 5
29
Déclarations
Signatures
devant
témoin
Exemplaires
observés.
Regulations and Orders
Règlements et décrets
48. (1) Subject to subsection (2), the
Governor in Council may, on the recommendation of the Treasury Board, make regulations prescribing technologies or processes for
the purpose of the definition ‘‘secure electronic signature’’ in subsection 31(1).
48. (1) Sous réserve du paragraphe (2), le
gouverneur en conseil peut, sur recommandation du Conseil du Trésor, prendre des règlements pour prévoir des technologies ou des
procédés pour l’application de la définition de
« signature électronique sécurisée » au paragraphe 31(1).
Règlements
30
Characteristics
C. 5
48-49 ELIZ. II
(2) The Governor in Council may prescribe
a technology or process only if the Governor
in Council is satisfied that it can be proved that
(2) Le gouverneur en conseil ne peut
prévoir une technologie ou un procédé que s’il
est convaincu qu’il peut être établi ce qui suit :
(a) the electronic signature resulting from
the use by a person of the technology or
process is unique to the person;
a) la signature électronique résultant de
l’utilisation de la technologie ou du procédé
est propre à l’utilisateur;
(b) the use of the technology or process by
a person to incorporate, attach or associate
the person’s electronic signature to an
electronic document is under the sole
control of the person;
b) l’utilisation de la technologie ou du
procédé pour l’incorporation, l’adjonction
ou l’association de la signature électronique
de l’utilisateur au document électronique se
fait sous la seule responsabilité de ce
dernier;
(c) the technology or process can be used to
identify the person using the technology or
process; and
Critères
c) la technologie ou le procédé permet
d’identifier l’utilisateur;
(d) the electronic signature can be linked
with an electronic document in such a way
that it can be used to determine whether the
electronic document has been changed
since the electronic signature was incorporated in, attached to or associated with the
electronic document.
d) la signature électronique peut être liée au
document électronique de façon à permettre de vérifier si le document a été modifié
depuis que la signature électronique a été
incorporée, jointe ou associée au document.
Effect of
amendment or
repeal
(3) An amendment to or repeal of any
provision of a regulation made under subsection (1) that has the effect of removing a
prescribed technology or process from the
regulation does not, by itself, affect the
validity of any electronic signature resulting
from the use of that technology or process
while it was prescribed.
(3) La modification ou l’abrogation d’une
disposition d’un règlement pris en vertu du
paragraphe (1) qui a pour effet de supprimer
une technologie ou un procédé du règlement
n’a pas pour effet d’invalider la signature
électronique résultant de l’utilisation de la
technologie ou du procédé qui était mentionné
dans le règlement.
Effet d’une
disposition
modifiée ou
abrogée
Amendment
of schedules
49. For the purposes of sections 38 to 47, the
responsible authority in respect of a provision
of a federal law may, by order, amend
Schedule 2 or 3 by adding or striking out a
reference to that federal law or provision.
49. Pour l’application des articles 38 à 47,
l’autorité responsable, à l’égard d’une disposition d’un texte législatif, peut par décret
modifier l’annexe 2 ou 3 par adjonction ou
suppression de la mention du texte législatif
ou de la disposition.
Modification
des annexes
Regulations
50. (1) For the purposes of sections 41 to 47,
the responsible authority in respect of a
provision of a federal law may make regulations respecting the application of those
sections to the provision.
50. (1) Pour l’application des articles 41 à
47, l’autorité responsable, à l’égard d’une
disposition d’un texte législatif, peut prendre
des règlements visant l’application de ces
articles à la disposition.
Règlements
Contents
(2) Without restricting the generality of
subsection (1), the regulations that may be
made may include rules respecting any of the
following:
(2) Sans que soit limitée la portée générale
du paragraphe (1), les règlements qui y sont
prévus peuvent comprendre des règles visant
notamment :
Contenu
(a) the technology or process that must be
used to make or send an electronic document;
a) la technologie ou le procédé à utiliser
pour faire ou envoyer le document électronique;
(b) the format of an electronic document;
b) le format du document électronique;
1999-2000
ch. 5
(c) the place where an electronic document
is to be made or sent;
c) le lieu où le document électronique est
fait ou envoyé;
(d) the time and circumstances when an
electronic document is to be considered to
be sent or received and the place where it is
considered to have been sent or received;
d) les délais et les circonstances dans
lesquels le document électronique est présumé avoir été envoyé ou reçu, ainsi que le
lieu où le document est présumé avoir été
envoyé ou reçu;
(e) the technology or process to be used to
make or verify an electronic signature and
the manner in which it is to be used; and
(f) any matter necessary for the purposes of
the application of sections 41 to 47.
31
e) la technologie ou le procédé à utiliser
pour faire ou vérifier une signature électronique et la manière d’utiliser cette signature;
f) tout ce qui est utile à l’application des
articles 41 à 47.
Minimum
rules
Règles
minimales
(3) Without restricting the generality of
subsection (1), if a provision referred to in any
of sections 41 to 47 requires a person to
provide another person with a document or
information, the rules set out in the regulations
respecting the application of that section to the
provision may be that
(3) Sans que soit limitée la portée générale
du paragraphe (1), si une disposition visée à
l’un des articles 41 à 47 exige qu’une personne
fournisse à une autre un document ou une
information, les règles établies dans les règlements visant l’application de cet article à la
disposition peuvent exiger que :
(a) both persons have agreed to the document or information being provided in
electronic form; and
a) les intéressés aient convenu de la fourniture du document ou de l’information sous
forme électronique;
(b) the document or information in electronic form will be under the control of the
person to whom it is provided and will be
readable or perceivable so as to be usable
for subsequent reference.
b) le document ou l’information sous forme
électronique soit mis à la disposition de la
personne à qui le document ou l’information est fourni et soit lisible ou perceptible
de façon à pouvoir servir à la consultation
ultérieure.
Incorporation
by reference
(4) Regulations may incorporate by reference the standards or specifications of any
government, person or organization, either as
they read at a fixed time or as they are
amended from time to time.
(4) Les règlements peuvent incorporer par
renvoi une version déterminée dans le temps
ou la dernière version modifiée des normes ou
spécifications adoptées par des personnes
physiques ou morales, de droit privé ou de
droit public.
Incorporation
par renvoi
Effect of
striking out
listed
provision
51. The striking out of a reference to a
federal law or provision in Schedule 2 or 3
does not affect the validity of anything done in
compliance with any regulation made under
section 50 that relates to that federal law or
provision while it was listed in that Schedule.
51. La suppression de l’inscription d’une
disposition ou d’un texte législatif sur la liste
figurant à l’annexe 2 ou 3 n’a pas pour effet
d’invalider un acte accompli conformément
aux règlements relatifs à cette disposition ou
à ce texte législatif, pris en vertu de l’article
50, alors que la disposition ou le texte était
inscrit sur la liste figurant à l’annexe.
Effet d’une
disposition
supprimée de
la liste
32
R.S., c. C-5;
R.S., c. 27 (1st
Supp.), c. 19
(3rd Supp.);
1992, cc. 1,
47; 1993, cc.
28, 34; 1994,
c. 44; 1995, c.
28; 1997, c.
18; 1998, c. 9
Copies by
Queen’s
Printer
Authentication of
electronic
documents
C. 5
48-49 ELIZ. II
PART 3
PARTIE 3
AMENDMENTS TO THE CANADA
EVIDENCE ACT
MODIFICATION DE LA LOI SUR LA
PREUVE AU CANADA
52. Section 19 of the Canada Evidence Act
is replaced by the following:
52. L’article 19 de la Loi sur la preuve au
Canada est remplacé par ce qui suit :
19. Every copy of any Act of Parliament,
public or private, published by the Queen’s
Printer, is evidence of that Act and of its
contents, and every copy purporting to be
published by the Queen’s Printer shall be
deemed to be so published, unless the contrary
is shown.
19. Tout exemplaire d’une loi fédérale,
qu’elle soit publique ou privée, publiée par
l’imprimeur de la Reine, fait preuve de cette
loi et de son contenu. Tout exemplaire donné
comme publié par l’imprimeur de la Reine est
réputé avoir été ainsi publié, sauf preuve
contraire.
53. Paragraph 20(c) of the Act is replaced
by the following:
53. L’alinéa 20c) de la même loi est
remplacé par ce qui suit :
(c) by the production of a copy of them
purporting to be published by the Queen’s
Printer.
c) soit par la production d’un exemplaire de
ces documents donné comme publié par
l’imprimeur de la Reine.
54. Paragraphs 21(b) and (c) of the Act
are replaced by the following:
54. Les alinéas 21b) et c) de la même loi
sont remplacés par ce qui suit :
(b) by the production of a copy of the
proclamation, order, regulation or appointment, purporting to be published by the
Queen’s Printer;
b) la production d’un exemplaire de la
proclamation, du décret, du règlement ou
de l’acte de nomination, donné comme
publié par l’imprimeur de la Reine;
(c) by the production of a copy of the treaty
purporting to be published by the Queen’s
Printer;
c) la production d’un exemplaire du traité,
donné comme publié par l’imprimeur de la
Reine;
55. Paragraph 22(1)(b) of the Act is
replaced by the following:
55. L’alinéa 22(1)b) de la même loi est
(b) by the production of a copy of the
proclamation, order, regulation or appointment purporting to be published by the
government or Queen’s Printer for the
province; and
b) la production d’un exemplaire de la
proclamation, du décret, du règlement ou
de l’acte de nomination, donné comme
publié par l’imprimeur de la Reine ou du
gouvernement pour cette province;
56. The Act is amended by adding the
following after section 31:
56. La même loi est modifiée par adjonction, après l’article 31, de ce qui suit :
31.1 Any person seeking to admit an
electronic document as evidence has the
burden of proving its authenticity by evidence
capable of supporting a finding that the
31.1 Il incombe à la personne qui cherche à
faire admettre en preuve un document électronique d’établir son authenticité au moyen
d’éléments de preuve permettant de conclure
que le document est bien ce qu’il paraît être.
L.R., ch. C-5;
L.R., ch. 27
(1er suppl.),
ch. 19 (3e
suppl.); 1992,
ch. 1, 47;
1993, ch. 28,
34; 1994, ch.
44; 1995, ch.
28; 1997, ch.
18; 1998, ch. 9
Exemplaires
de
l’imprimeur
de la Reine
Authentification de
documents
électroniques
1999-2000
ch. 5
33
31.2 (1) Tout document électronique satisfait à la règle de la meilleure preuve dans les
cas suivants :
a) la fiabilité du système d’archivage
électronique au moyen duquel ou dans
lequel le document est enregistré ou mis en
mémoire est démontrée;
Règle de la
meilleure
preuve —
documents
électroniques
electronic document is that which it is purported to be.
Application of
best evidence
rule —
electronic
documents
31.2 (1) The best evidence rule in respect of
an electronic document is satisfied
(a) on proof of the integrity of the electronic
documents system by or in which the
electronic document was recorded or
stored; or
(b) if an evidentiary presumption established under section 31.4 applies.
b) une présomption établie en vertu de
l’article 31.4 s’applique.
Printouts
(2) Despite subsection (1), in the absence of
evidence to the contrary, an electronic document in the form of a printout satisfies the best
evidence rule if the printout has been manifestly or consistently acted on, relied on or
used as a record of the information recorded or
stored in the printout.
(2) Malgré le paragraphe (1), sauf preuve
contraire, le document électronique sous forme de sortie imprimée satisfait à la règle de la
meilleure preuve si la sortie imprimée a de
toute évidence ou régulièrement été utilisée
comme document relatant l’information enregistrée ou mise en mémoire.
Sorties
imprimées
Presumption
of integrity
31.3 For the purposes of subsection 31.2(1),
in the absence of evidence to the contrary, the
integrity of an electronic documents system
by or in which an electronic document is
recorded or stored is proven
31.3 Pour l’application du paragraphe
31.2(1), le système d’archivage électronique
au moyen duquel ou dans lequel un document
électronique est enregistré ou mis en mémoire
est réputé fiable, sauf preuve contraire, si,
selon le cas :
Présomption
de fiabilité
(a) by evidence capable of supporting a
finding that at all material times the computer system or other similar device used by
the electronic documents system was operating properly or, if it was not, the fact of its
not operating properly did not affect the
integrity of the electronic document and
there are no other reasonable grounds to
doubt the integrity of the electronic documents system;
a) la preuve permet de conclure qu’à
l’époque en cause, le système informatique
ou autre dispositif semblable fonctionnait
bien, ou, dans le cas contraire, son mauvais
fonctionnement n’a pas compromis l’intégrité des documents électroniques, et qu’il
n’existe aucun autre motif raisonnable de
mettre en doute la fiabilité du système
d’archivage électronique;
(b) if it is established that the electronic
document was recorded or stored by a party
who is adverse in interest to the party
seeking to introduce it; or
b) il est établi que le document électronique
présenté en preuve par une partie a été
enregistré ou mis en mémoire par une partie
adverse;
(c) if it is established that the electronic
document was recorded or stored in the
usual and ordinary course of business by a
person who is not a party and who did not
record or store it under the control of the
party seeking to introduce it.
c) il est établi que le document électronique
a été enregistré ou mis en mémoire dans le
cours ordinaire des affaires par une personne qui n’est pas partie à l’instance et qui ne
l’a pas enregistré ni ne l’a mis en mémoire
sous l’autorité de la partie qui cherche à le
présenter en preuve.
34
Presumptions
regarding
secure
electronic
signatures
C. 5
48-49 ELIZ. II
Signatures
électroniques
sécurisées —
présomptions
31.4 The Governor in Council may make
regulations establishing evidentiary presumptions in relation to electronic documents
signed with secure electronic signatures, including regulations respecting
31.4 Le gouverneur en conseil peut prendre
des règlements établissant des présomptions
relativement aux documents électroniques
portant une signature électronique sécurisée,
notamment des règlements visant :
(a) the association of secure electronic
signatures with persons; and
a) l’association de signatures électroniques
sécurisées à des personnes;
(b) the integrity of information contained in
electronic documents signed with secure
electronic signatures.
b) l’intégrité de l’information contenue
dans un document électronique portant une
signature électronique sécurisée.
Standards
may be
considered
31.5 For the purpose of determining under
any rule of law whether an electronic document is admissible, evidence may be presented in respect of any standard, procedure,
usage or practice concerning the manner in
which electronic documents are to be recorded or stored, having regard to the type of
business, enterprise or endeavour that used,
recorded or stored the electronic document
and the nature and purpose of the electronic
document.
31.5 Afin de déterminer si, pour l’application de toute règle de droit, un document
électronique est admissible, il peut être présenté un élément de preuve relatif à toute
norme, toute procédure, tout usage ou toute
pratique touchant la manière d’enregistrer ou
de mettre en mémoire un document électronique, eu égard au type de commerce ou
d’entreprise qui a utilisé, enregistré ou mis en
mémoire le document électronique ainsi qu’à
la nature et à l’objet du document.
Normes à
considérer
Proof by
affidavit
31.6 (1) The matters referred to in subsection 31.2(2) and sections 31.3 and 31.5 and in
regulations made under section 31.4 may be
established by affidavit.
31.6 (1) La preuve des questions visées au
paragraphe 31.2(2) et aux articles 31.3 et 31.5
ainsi que dans les règlements pris en vertu de
l’article 31.4 peut être faite par affidavit.
Preuve par
affidavit
Crossexamination
(2) A party may cross-examine a deponent
of an affidavit referred to in subsection (1) that
has been introduced in evidence
(2) Toute partie peut contre-interroger l’auteur d’un affidavit visé au paragraphe (1) et
déposé en preuve :
Contreinterrogatoire
(a) as of right, if the deponent is an adverse
party or is under the control of an adverse
party; and
a) de plein droit, dans le cas où l’auteur de
l’affidavit est une partie adverse ou est sous
l’autorité d’une telle partie;
(b) with leave of the court, in the case of any
other deponent.
b) avec l’autorisation du tribunal, dans les
autres cas.
Application
31.7 Sections 31.1 to 31.4 do not affect any
rule of law relating to the admissibility of
evidence, except the rules relating to authentication and best evidence.
31.7 Les articles 31.1 à 31.4 n’ont pas pour
effet de restreindre l’application des règles de
droit relatives à l’admissibilité de la preuve, à
l’exception des règles de droit régissant
l’authentification et la meilleure preuve.
Application
Definitions
31.8 The definitions in this section apply in
sections 31.1 to 31.6.
31.8 Les définitions qui suivent s’appliquent aux articles 31.1 à 31.6.
Définitions
‘‘computer
system’’
« système
informatique »
‘‘computer system’’ means a device that, or a
group of interconnected or related devices
one or more of which,
(a) contains computer programs or other
data; and
« document électronique » Ensemble de données enregistrées ou mises en mémoire sur
quelque support que ce soit par un système
informatique ou un dispositif semblable et
qui peuvent être lues ou perçues par une
personne ou par un tel système ou dispositif.
Sont également visés tout affichage et toute
sortie imprimée ou autre de ces données.
« document
électronique »
‘‘electronic
document’’
1999-2000
(b) pursuant to computer programs, performs logic and control, and may perform any other function.
ch. 5
« données » Toute forme de représentation
d’informations ou de notions.
« données »
‘‘data’’
« signature électronique sécurisée » Signature électronique sécurisée au sens du paragraphe 31(1) de la Loi sur la protection des
renseignements personnels et les documents électroniques.
« signature
électronique
sécurisée »
‘‘secure
electronic
signature’’
« système d’archivage électronique » Sont assimilés au système d’archivage électronique le système informatique et tout dispositif semblable qui enregistre ou met en mémoire des données ainsi que les procédés relatifs à l’enregistrement ou à la mise en mémoire de documents électroniques.
« système
d’archivage
électronique »
‘‘electronic
documents
system’’
« système informatique » Dispositif ou ensemble de dispositifs connectés ou reliés les
uns aux autres, dont l’un ou plusieurs :
« système
informatique »
‘‘computer
system’’
‘‘data’’
« données »
‘‘data’’ means representations of information
or of concepts, in any form.
‘‘electronic
document ’’
« document
électronique »
‘‘electronic document’’ means data that is recorded or stored on any medium in or by a
computer system or other similar device
and that can be read or perceived by a person or a computer system or other similar
device. It includes a display, printout or other output of that data.
‘‘electronic
documents
system’’
« système
d’archivage
électronique »
‘‘electronic documents system’’ includes a
computer system or other similar device by
or in which data is recorded or stored and
any procedures related to the recording or
storage of electronic documents.
‘‘secure
electronic
signature’’
« signature
électronique
sécurisée »
‘‘secure electronic signature’’ means a secure
electronic signature as defined in subsection 31(1) of the Personal Information
Protection and Electronic Documents Act.
a) contiennent des programmes d’ordinateur ou d’autres données;
57. Subsection 32(2) of the Act is replaced
by the following:
57. Le paragraphe 32(2) de la même loi
est remplacé par ce qui suit :
(2) All copies of official and other notices,
advertisements and documents published in
the Canada Gazette are admissible in evidence as proof, in the absence of evidence to
the contrary, of the originals and of their
contents.
(2) Toutes copies d’avis, d’annonces et de
documents officiels et autres, publiées dans la
Gazette du Canada, sont admissibles en
preuve et font foi, jusqu’à preuve contraire,
des originaux et de leur contenu.
PART 4
PARTIE 4
AMENDMENTS TO THE STATUTORY
INSTRUMENTS ACT
MODIFICATION DE LA LOI SUR LES
TEXTES RÉGLEMENTAIRES
58. Section 10 of the Statutory Instruments
Act is renumbered as subsection 10(1) and
is amended by adding the following:
58. L’article 10 de la Loi sur les textes
réglementaires devient le paragraphe 10(1)
et est modifié par adjonction de ce qui suit :
(2) The Governor in Council may determine the form and manner in which the
Canada Gazette, or any part of it, is published,
including publication by electronic means.
(2) Le gouverneur en conseil peut fixer les
modalités de publication — notamment la
publication sur support électronique — de
tout ou partie de la Gazette du Canada.
by the following:
Copies
published in
Canada
Gazette
R.S., c. S-22;
R.S., c. 31 (1st
Supp.), cc. 31,
51 (4th
Supp.); 1993,
cc. 28, 34
Publication
35
b) conformément à des programmes
d’ordinateur, exécutent des fonctions
logiques et de commande et peuvent
exécuter toute autre fonction.
Copies
publiées dans
la Gazette du
Canada
L.R., ch.
S-22; L.R.,
ch. 31 (1er
suppl.), ch.
31, 51 (4e
suppl.); 1993,
ch. 28, 34
Modalités de
publication
36
Deemed
publication in
Canada
Gazette
C. 5
(3) For the purposes of this section,
(a) if a regulation is included in a copy of the
Consolidated Regulations of Canada, 1978
purporting to be printed by the Queen’s
Printer, that regulation is deemed to have
been published in the Canada Gazette; and
(b) if a regulation is included in a copy of a
revision of regulations purporting to be
printed by the Queen’s Printer, that regulation is deemed to have been published in the
Canada Gazette.
R.S., c. S-20;
1992, c. 1
Short title
‘‘revision’’
« révision »
(3) Pour l’application du présent article :
a) les règlements qui figurent dans un
exemplaire de la Codification des règlements du Canada, 1978, censée imprimée
par l’imprimeur de la Reine, sont réputés
avoir été publiés dans la Gazette du Canada;
PARTIE 5
AMENDMENTS TO THE STATUTE
REVISION ACT
MODIFICATION DE LA LOI SUR LA
RÉVISION DES LOIS
60. Section 1 of the Statute Revision Act is
60. L’article 1 de la Loi sur la révision des
lois est remplacé par ce qui suit :
1. This Act may be cited as the Legislation
Revision and Consolidation Act.
1. Loi sur la révision et la codification des
textes législatifs.
61. (1) The definition ‘‘revision’’ in section 2 of the Act is replaced by the following:
61. (1) La définition de « révision », à
l’article 2 de la même loi, est remplacée par
ce qui suit :
‘‘revision’’ means
(b) for the purposes of Part II, the
arrangement, revision and consolidation
of the regulations authorized under that
Part.
(2) Section 2 of the Act is amended by
adding the following in alphabetical order:
‘‘regulations’’ means
(a) statutory orders and regulations published in the Consolidated Regulations of
Canada, 1978,
(b) regulations, statutory instruments and
other documents published in the Canada Gazette, Part II, after the publication
of the Consolidated Regulations of Canada, 1978, and
Présomption
de
publication
b) les règlements qui figurent dans un
exemplaire de la révision des règlements,
censée imprimée par l’imprimeur de la
Reine, sont réputés avoir été publiés dans la
Gazette du Canada.
PART 5
(a) for the purposes of Part I, the
arrangement, revision and consolidation
of the public general statutes of Canada
authorized under that Part; and
‘‘regulations’’
« règlements »
48-49 ELIZ. II
« révision »
L.R., ch.
S-20; 1992,
ch. 1
Titre abrégé
« révision »
‘‘revision’’
a) Pour l’application de la partie I, le
remaniement, la révision et la codification — autorisés en vertu de cette partie — des lois d’intérêt public et général
du Canada;
b) pour l’application de la partie II, le
remaniement, la révision et la codification — autorisés en vertu de cette partie — des règlements.
(2) L’article 2 de la même loi est modifié
par adjonction, selon l’ordre alphabétique,
de ce qui suit :
« règlements » Sont considérés comme des règlements :
a) les décrets, ordonnances et règlements
publiés dans la Codification des règlements du Canada, 1978;
b) les règlements, textes réglementaires
et autres documents publiés dans la partie
« règlements »
‘‘regulations’’
1999-2000
37
ch. 5
(c) any other regulations, statutory
instruments or documents that, in the
opinion of the Minister, are of continuing
effect or apply to more than one person or
body and that are not exempted from
publication pursuant to regulations made
under paragraph 20(c) of the Statutory
Instruments Act;
II de la Gazette du Canada depuis cette
codification;
62. Section 5 of the Act is replaced by the
following:
62. L’article 5 de la même loi est remplacé
par ce qui suit :
Revision of
statutes
5. The Commission shall, from time to
time, revise the public general statutes of
Canada.
5. Périodiquement, la Commission révise
les lois d’intérêt public et général du Canada.
Révision des
lois
1992, c. 1,
s. 132
63. The heading before section 8 and
sections 8 to 10 of the Act are repealed.
63. L’intertitre précédant l’article 8 et les
articles 8 à 10 de la même loi sont abrogés.
1992, ch. 1,
art. 132
64. The heading before section 11 and
sections 11 and 12 of the Act are replaced by
the following:
64. L’intertitre précédant l’article 11 et
les articles 11 et 12 de la même loi sont
remplacés par ce qui suit :
Revision
Révision
Revision of
regulations
10. The Commission shall, from time to
time, revise the regulations.
10. Périodiquement, la Commission révise
les règlements.
Révision des
règlements
Powers of
Commission
11. In preparing and maintaining the Revised Regulations and in keeping the Revised
Regulations up to date, the Commission may
exercise, in respect of the regulations, the
powers that it has under section 6 in respect of
a revision under Part I.
11. Dans l’exécution de cette mission, la
Commission dispose, en ce qui touche les
règlements, des pouvoirs que lui confère
l’article 6 pour la révision en vertu de la
partie I.
Pouvoirs de
la
Commission
Deposit of
revision
12. (1) On receipt of a written report from
the Commission in respect of the completion
of all or any part of the Revised Regulations,
the Governor in Council may cause a printed
Roll of the regulations, attested under the
signature of the Minister and the President of
the Privy Council, to be deposited in the office
of the Clerk of the Privy Council, and the Roll
shall be held to be the original of the
regulations included in it.
12. (1) À la réception d’un rapport écrit de
la Commission l’informant de l’achèvement
de tout ou partie des Règlements révisés, le
gouverneur en conseil peut faire déposer au
bureau du greffier du Conseil privé un recueil
imprimé des règlements en cause, certifié par
la signature du ministre et du président du
Conseil privé. Ce recueil est dès lors considéré
comme l’original des règlements qui y figurent.
Dépôt de la
révision
Schedule
(2) There shall be appended to each Roll a
schedule similar in form to the Schedule to
Appendix I appended to the Revised Statutes
of Canada, 1985, and the Commission may
include in the schedule a list of all regulations
and parts of regulations that, although not
expressly repealed, are superseded by the
regulations included in the Roll, or are
(2) Est jointe au recueil une annexe analogue, quant à la forme, à l’annexe de l’appendice I des Lois révisées du Canada (1985); la
Commission peut faire figurer dans cette
annexe une liste de tous les règlements et
parties de règlement qui, bien que n’ayant pas
été expressément abrogés, sont remplacés par
les règlements figurant au recueil ou sont
Annexe
c) les autres règlements, textes réglementaires ou documents qui, de l’avis du
ministre, restent en vigueur ou s’appliquent à plusieurs personnes ou organismes et qui ne sont pas soustraits à la
publication par les règlements pris en
vertu de l’alinéa 20c) de la Loi sur les
textes réglementaires.
38
Effect
Repeal
Bound
volumes
Old
regulations
not revived
C. 5
48-49 ELIZ. II
inconsistent with them, and a list of all
regulations and parts of regulations that were
for a temporary purpose the force of which is
spent.
incompatibles avec eux, ainsi qu’une liste de
tous les règlements et parties de règlement de
caractère temporaire qui sont devenus périmés.
65. (1) Subsection 13(2) of the Act is
65. (1) Le paragraphe 13(2) de la même
loi est remplacé par ce qui suit :
(2) On the day referred to in subsection (1)
in respect of any Roll, the regulations included
in that Roll shall accordingly come into force
and have effect as law as part of the Revised
Regulations to all intents as if each regulation
had been made by the appropriate regulationmaking authority and all the requirements
with respect to the making of that regulation
had been complied with.
(2) À la date fixée pour l’entrée en vigueur
du recueil, les règlements y inclus entrent en
vigueur et ont force de loi à tous égards en tant
qu’élément des Règlements révisés. Chacun
de ces règlements est censé avoir été pris par
l’autorité réglementaire compétente et toutes
les prescriptions en régissant la prise sont
censées avoir été observées.
(2) Subsection 13(3) of the English version of the Act is replaced by the following:
(2) Le paragraphe 13(3) de la version
anglaise de la même loi est remplacé par ce
qui suit :
(3) On the day referred to in subsection (1),
all regulations and parts of regulations listed
in the schedule to the Roll are repealed to the
extent mentioned in that schedule.
(3) On the day referred to in subsection (1),
all regulations and parts of regulations listed
in the schedule to the Roll are repealed to the
extent mentioned in that schedule.
66. Sections 15 to 17 of the Act are
66. Les articles 15 à 17 de la même loi sont
17. If the Commission has, as of a day
selected by it, revised all the regulations that
it is required to revise under section 10 to that
day, it shall cause the Revised Regulations to
be published in the form of bound volumes,
and the regulations to be included in them
shall be those that have been revised as of that
day, and that day shall be indicated in each of
the volumes.
17. Lorsque la Commission, en application
de l’article 10, a exécuté la mission qui lui est
assignée à la date fixée par elle, elle fait
publier les Règlements révisés sous forme de
volumes reliés contenant le texte des règlements mis à jour à cette date, ainsi que
l’indication de celle-ci.
67. (1) Subsection 18(1) of the English
version of the Act is replaced by the
following:
67. (1) Le paragraphe 18(1) de la version
anglaise de la même loi est remplacé par ce
qui suit :
18. (1) The repeal of the regulations and
parts of regulations listed in the schedule
appended to a Roll does not
18. (1) The repeal of the regulations and
parts of regulations listed in the schedule
appended to a Roll does not
(a) revive any regulation or part of any
regulation so repealed;
(a) revive any regulation or part of any
regulation so repealed;
(b) affect any saving clause in the regulations or parts of regulations so repealed; or
(b) affect any saving clause in the regulations or parts of regulations so repealed; or
(c) prevent the application of any of those
regulations or parts of regulations, or of any
regulation or any part of a regulation
formerly in force, to any transaction, matter
(c) prevent the application of any of those
regulations or parts of regulations, or of any
regulation or any part of a regulation
formerly in force, to any transaction, matter
Effet
Repeal
Volumes
reliés
Old
regulations
not revived
1999-2000
ch. 5
39
or thing before the repeal to which they
would otherwise apply.
or thing before the repeal to which they
would otherwise apply.
(2) Subsections 18(2) to (4) of the Act are
(2) Les paragraphes 18(2) à (4) de la
même loi sont remplacés par ce qui suit :
Not new law
(2) A regulation included in the Revised
Regulations shall not be held to operate as a
new regulation, but shall be construed and
have effect as a consolidation and as declaratory of the law as contained in the regulation
and parts of regulations as revised, and for
which the regulation included in the Revised
Regulations is substituted.
(2) Un règlement compris dans les Règlements révisés n’est pas censé avoir l’effet d’un
nouveau règlement; dans son interprétation et
son application, il est considéré comme une
codification déclarative de l’état du droit
selon les règlements et parties de règlement
qui ont fait l’objet de cette révision et que
remplace le règlement compris dans les
Règlements révisés.
Pas de droit
nouveau
Where
revision
differs
(3) Where, on any point, the provisions of
a regulation included in the Revised Regulations are not in effect the same as those of the
repealed provisions for which they are substituted, in respect of all transactions, matters
and things subsequent to the time when the
regulation included in the Revised Regulations takes effect, the provisions contained in
that regulation prevail, but in respect of all
transactions, matters and things before that
time, the repealed provisions prevail.
(3) Lorsque, sur un point quelconque, les
dispositions d’un règlement compris dans les
Règlements révisés ne comportent pas le
même effet que les dispositions abrogées
qu’elles remplacent, ce sont elles qui prévalent à l’égard de tout ce qui est postérieur à
l’entrée en vigueur des Règlements révisés,
les dispositions abrogées continuant de régir
tout ce qui est antérieur à cette entrée en
vigueur.
Divergence
de la révision
Construction
of references
(4) A reference in any regulation remaining
in force and not revised, or in any instrument
or document, to any regulation or part of a
regulation repealed under subsection 13(3) by
inclusion in the Revised Regulations shall,
after the regulation in the Revised Regulations
takes effect, be deemed, in respect of any
subsequent transaction, matter or thing, to be
a reference to the regulation or part of a
regulation in the Revised Regulations having
the same effect as the repealed regulation or
part of a regulation.
(4) Lorsqu’un règlement en vigueur mais
non révisé ou un texte ou document quelconque fait mention d’un règlement ou d’une
partie de règlement abrogés en vertu du
paragraphe 13(3) par l’effet de la révision,
cette mention, après l’entrée en vigueur du
règlement compris dans les Règlements révisés, est censée, pour tout ce qui est postérieur
à cette date, viser le règlement ou la partie de
règlement compris dans les Règlements révisés et comportant le même effet que le
règlement ou la partie de règlement abrogés.
Interprétation des
mentions
68. Sections 19 to 21 of the Act are
68. Les articles 19 à 21 de la même loi sont
19. (1) The inclusion of any regulation or
part of a regulation in the schedule appended
to a Roll shall not be considered to be a
declaration that the regulation or part was or
was not in force immediately before the
coming into force of the portion of the Revised
Regulations that includes that regulation or
part.
19. (1) La mention d’un règlement ou d’une
partie de règlement dans l’annexe d’un recueil
n’est pas censée être déclarative du fait que ce
règlement ou cette partie de règlement était ou
n’était pas en vigueur lors de l’entrée en
vigueur de la partie des Règlements révisés
qui comprend ce règlement ou cette partie de
règlement.
Effect of
inclusion in
schedule
Effet d’une
mention dans
l’annexe
40
C. 5
48-49 ELIZ. II
Paragraph
16(3)(b)
Statutory
Instruments
Act
(2) The whole or any part of the Revised
Regulations shall be construed to be a revision
of regulations referred to in paragraph
16(3)(b) of the Statutory Instruments Act.
(2) Tout ou partie des Règlements révisés a
valeur de la révision des règlements mentionnée à l’alinéa 16(3)b) de la Loi sur les textes
réglementaires.
Alinéa
16(3)b) de la
Loi sur les
textes
réglementaires
Scrutiny
Committees
of Parliament
(3) A regulation that is included in the
Consolidated Regulations of Canada, 1978 or
in the Revised Regulations stands permanently referred to any Committee or Committees
of Parliament established under section 19 of
the Statutory Instruments Act.
(3) Les règlements compris dans la Codification des règlements du Canada, 1978 ou
dans les Règlements révisés sont soumis
automatiquement à l’examen des comités du
Parlement établis en vertu de l’article 19 de la
Loi sur les textes réglementaires.
Comités de
vérification
du Parlement
Citation of
Revised
Regulations
20. (1) Any regulation included in the
Revised Regulations may be cited and referred to in any Act, regulation, proceeding,
instrument or document whatever either by its
short or long title or by using the expression
‘‘Revised Regulations of Canada, chapter
....’’, or ‘‘Revised Regulations, chapter ....’’,
or ‘‘Chapter .... of the Revised Regulations’’,
or the abbreviation ‘‘R.R.C., c. ....’’, adding in
each case the number of the particular chapter.
20. (1) Les règlements compris dans les
Règlements révisés peuvent être cités et
désignés dans une loi, un règlement, un acte de
procédure, un texte ou un document quelconque, soit sous leur titre abrégé ou intégral, soit
au moyen de la formule « Règlements révisés
du Canada, chapitre ............ » ou « Règlements révisés, chapitre ............ » ou « Chapitre ............ des Règlements révisés » ou de
l’abréviation « R.R.C., ch. ............ », avec
dans chaque cas l’indication du numéro du
chapitre considéré.
Citation de la
Révision des
règlements
Amendments
included
(2) The citation of any chapter of the
Revised Regulations in accordance with subsection (1) is deemed to include any amendments made after the publication of that
regulation in the Revised Regulations.
(2) Le chapitre des Règlements révisés cité
conformément au paragraphe (1) est censé
comprendre les modifications postérieures à
la publication du règlement en question dans
les Règlements révisés.
Modifications
postérieures
Electronic
publishing
21. (1) The Queen’s Printer may publish an
edition of the Revised Regulations in electronic form and every copy of a revised
regulation published in electronic form by the
Queen’s Printer is evidence of that regulation
and of its contents, and every copy purporting
to be published by the Queen’s Printer is
is shown.
21. (1) L’imprimeur de la Reine peut
publier une édition des Règlements révisés sur
support électronique et tout exemplaire d’un
règlement révisé, publié sur support électronique par l’imprimeur de la Reine, fait preuve de
ce règlement et de son contenu. Tout exemplaire donné comme publié par l’imprimeur
de la Reine est réputé avoir été ainsi publié,
sauf preuve contraire.
Publication
électronique
Inconsistencies in
regulations
(2) In the event of an inconsistency between
a revised regulation published by the Queen’s
Printer in electronic form and the original of
the regulation as printed in the Roll deposited
in the office of the Clerk of the Privy Council
under section 12, the original of the regulation
prevails to the extent of the inconsistency.
(2) Les dispositions du règlement d’origine
avec ses modifications subséquentes enregistrées par le greffier du Conseil privé en vertu
de l’article 12 l’emportent sur les dispositions
incompatibles du règlement révisé publié par
l’imprimeur de la Reine sur support électronique.
Incompatibilité —
règlements
by the following:
1999-2000
Request to
remake
regulations
41
ch. 5
Demande de
prise d’un
nouveau
règlement
22. (1) If the Clerk of the Privy Council,
after consultation with the Deputy Minister of
Justice, is of the opinion that any particular
regulations should be remade by the regulation-making authority instead of being revised
under this Act, the Clerk of the Privy Council
may request that authority or any person
acting on behalf of that authority to make new
regulations.
22. (1) Lorsqu’il juge, après consultation
avec le sous-ministre de la Justice, qu’il y a
lieu de faire refaire un règlement par l’autorité
réglementaire plutôt que de le réviser aux
termes de la présente loi, le greffier du Conseil
privé peut demander à cette autorité ou à un
mandataire de cette autorité de prendre un
nouveau règlement.
70. Section 23 of the Act is replaced by the
following:
70. L’article 23 de la même loi est
Indices
23. The Commission may cause indices to
the Revised Regulations to be prepared and
published for the convenience of the public.
23. La Commission peut faire établir et
publier à l’usage du public des index des
Règlements révisés.
Index
Citation of
Consolidated
Regulations,
1978
24. (1) Any regulation included in the
Consolidated Regulations of Canada, 1978
may be cited and referred to in any Act,
regulation, proceeding, instrument or document whatever either by its short or long title
or by using the expression ‘‘Consolidated
Regulations of Canada, chapter ....’’, or ‘‘Consolidated Regulations, chapter ....’’, or
‘‘Chapter .... of the Consolidated Regulations’’, or the abbreviation ‘‘C.R.C., c. ....’’,
adding in each case the number of the
particular chapter.
24. (1) Les règlements compris dans la
Codification des règlements du Canada, 1978
peuvent être cités et désignés dans une loi, un
règlement, un acte de procédure, un texte ou
un document quelconque, soit sous leur titre
abrégé ou intégral, soit au moyen de la
formule « Codification des règlements du
Canada, chapitre ............ » ou « Codification
des règlements, chapitre ............ » ou « Chapitre ............ de la Codification des règlements » ou de l’abréviation « C.R.C., ch.
............ », avec dans chaque cas l’indication
du numéro du chapitre considéré.
Citation de la
Codification
des
règlements,
1978
Amendments
included
(2) The citation of any chapter of the
Consolidated Regulations of Canada, 1978 in
accordance with subsection (1) is deemed to
include any amendments made after the
publication of that regulation in the Consolidated Regulations of Canada, 1978.
(2) Le chapitre de la Codification des
règlements du Canada, 1978 cité conformément au paragraphe (1) est censé comprendre
les modifications postérieures à la publication
du règlement en question dans la Codification
des règlements du Canada, 1978.
Modifications
postérieures
71. Part III of the Act is replaced by the
following:
71. La partie III de la même loi est
remplacée par ce qui suit :
PART III
PARTIE III
CONSOLIDATED STATUTES AND
REGULATIONS OF CANADA
CODIFICATION DES LOIS ET
RÈGLEMENTS DU CANADA
Interpretation
Définitions
Definitions
25. The definitions in this section apply in
this Part.
25. Les définitions qui suivent s’appliquent
à la présente partie.
Définitions
‘‘consolidated
regulations’’
« règlements
codifiés »
‘‘consolidated regulations’’ means the consolidated regulations of Canada maintained by
the Minister under this Part.
« lois codifiées » Les lois codifiées du Canada, tenues par le ministre au titre de la présente partie.
« lois
codifiées »
‘‘consolidated
statutes’’
42
‘‘consolidated
statutes’’
« lois
codifiées »
C. 5
48-49 ELIZ. II
« règlements
codifiés »
‘‘consolidated
regulations’’
‘‘consolidated statutes’’ means the consolidated statutes of Canada maintained by the
Minister under this Part.
« règlements codifiés » Les règlements codifiés du Canada, tenus par le ministre au titre
de la présente partie.
Consolidation of the Statutes and
Regulations
Codification des lois et des règlements
Authority to
maintain
26. The Minister may maintain a consolidation of the public statutes of Canada and a
consolidation of the regulations of Canada.
26. Le ministre peut tenir une codification
des lois publiques du Canada et une codification des règlements du Canada.
Pouvoir de
tenue
Powers of
Minister
27. In maintaining a consolidation of the
statutes or regulations, the Minister may
27. Le ministre, dans le cadre de la tenue
d’une codification des lois ou des règlements,
peut :
Pouvoirs du
ministre
(a) omit any Act or regulation, or any part
of an Act or a regulation, that has expired,
has been repealed or has had its effect;
(b) include historical references or other
information that enhances the value of the
consolidation;
(c) correct grammatical and typographical
errors without changing the substance of
any enactment; and
(d) set out as a separate Act or regulation
any Act or regulation enacted by another
Act or regulation.
a) exclure toute loi ou tout règlement — ou
toute partie d’une loi ou d’un règlement — périmé, abrogé ou ayant rempli
son objet;
b) inclure toute note historique ou autre
renseignement qui améliore la qualité de la
codification;
c) corriger les erreurs grammaticales et
typographiques, sans toutefois changer le
fond;
d) établir comme une loi ou un règlement
distinct une loi ou un règlement pris dans le
cadre d’une autre loi ou d’un autre règlement.
Publication and Distribution
Publication et diffusion
Authority to
publish
28. (1) The Minister may cause the consolidated statutes or consolidated regulations to
be published in printed or electronic form, and
in any manner and frequency that the Minister
considers appropriate.
28. (1) Le ministre peut faire en sorte que les
lois codifiées ou les règlements codifiés soient
publiés sur support papier ou sur support
électronique, de la manière et selon la fréquence qu’il juge indiquées.
Pouvoir de
publication
Differences in
form
(2) A publication in an electronic form may
differ from a publication in another form to
accommodate the needs of the electronic form
if the differences do not change the substance
of any enactment.
(2) Une publication sur support électronique peut être différente d’une publication sous
une autre forme pour des raisons de commodité, pourvu que les différences ne portent pas
atteinte au fond.
Différences
dans la forme
Free
distribution
29. Copies of the consolidated statutes and
consolidated regulations must be distributed
without charge to the persons or classes of
persons, and in the form and manner, that the
Governor in Council, on the recommendation
of the Minister, directs.
29. Des exemplaires des lois codifiées et
des règlements codifiés, publiés en vertu de la
présente loi, sont remis sans frais aux personnes ou catégories de personnes que le gouverneur en conseil précise, sur recommandation
du ministre, et de la manière qu’il ordonne, sur
recommandation du ministre.
Diffusion
libre
1999-2000
43
ch. 5
Effect of Consolidation
Effet de la codification
Consolidation
not new law
30. The consolidated statutes and consolidated regulations do not operate as new law.
30. Les lois codifiées et les règlements
codifiés ne sont pas de droit nouveau.
Codification
non de droit
nouveau
Published
consolidation
is evidence
31. (1) Every copy of a consolidated statute
or consolidated regulation published by the
Minister under this Act in either print or
electronic form is evidence of that statute or
regulation and of its contents and every copy
purporting to be published by the Minister is
is shown.
31. (1) Tout exemplaire d’une loi codifiée
ou d’un règlement codifié, publié par le
ministre en vertu de la présente loi sur support
papier ou sur support électronique, fait foi de
cette loi ou de ce règlement et de son contenu.
Tout exemplaire donné comme publié par le
ministre est réputé avoir été ainsi publié, sauf
preuve contraire.
Codifications
comme
élément de
preuve
Inconsistencies in Acts
a consolidated statute published by the Minister under this Act and the original statute or a
subsequent amendment as certified by the
Clerk of the Parliaments under the Publication of Statutes Act, the original statute or
amendment prevails to the extent of the
inconsistency.
(2) Les dispositions de la loi d’origine avec
ses modifications subséquentes par le greffier
des Parlements en vertu de la Loi sur la
publication des lois l’emportent sur les dispositions incompatibles de la loi codifiée publiée
par le ministre en vertu de la présente loi.
Incompatibilité — lois
Inconsistencies in
regulations
a consolidated regulation published by the
Minister under this Act and the original
regulation or a subsequent amendment as
registered by the Clerk of the Privy Council
under the Statutory Instruments Act, the
original regulation or amendment prevails to
the extent of the inconsistency.
(3) Les dispositions du règlement d’origine
avec ses modifications subséquentes enregistrées par le greffier du Conseil privé en vertu
de la Loi sur les textes réglementaires l’emportent sur les dispositions incompatibles du
règlement codifié publié par le ministre en
vertu de la présente loi.
Incompatibilité —
règlements
Co-publishing Agreements
Ententes de copublication
32. The Minister may enter into agreements
for the production of the consolidated statutes
or consolidated regulations and for their
publication, sale or distribution.
32. Le ministre peut signer des ententes
pour la production, la publication, la vente et
la diffusion des lois codifiées et des règlements codifiés.
PART 6
PARTIE 6
COMING INTO FORCE
ENTRÉE EN VIGUEUR
72. Parts 1 to 5 or any provision of those
Parts come into force on a day or days to be
fixed by order of the Governor in Council
made on the recommendation of
72. Les parties 1 à 5 ou telle de leurs
dispositions entrent en vigueur à la date ou
aux dates fixées par décret, sur la recommandation :
(a) in the case of Parts 1 and 2 or any
provision of those Parts, the Minister of
Industry; and
a) dans le cas des parties 1 et 2 ou de telle
de leurs dispositions, du ministre de
l’Industrie;
(b) in the case of Parts 3 to 5 or any
provision of those Parts, the Minister of
Justice.
b) dans le cas des parties 3 à 5 ou de telle
de leurs dispositions, du ministre de la
Justice.
Agreements
Coming into
force
Ententes
Entrée en
vigueur
44
C. 5
Personal Information Protection and Electronic Documents — Schedule 1
48-49 ELIZ. II
SCHEDULE 1
(Section 5)
ANNEXE 1
(article 5)
PRINCIPLES SET OUT IN THE NATIONAL STANDARD
OF CANADA ENTITLED MODEL CODE FOR THE
PROTECTION OF PERSONAL INFORMATION,
CAN/CSA-Q830-96
PRINCIPES ÉNONCÉS DANS LA NORME NATIONALE
DU CANADA INTITULÉE CODE TYPE SUR LA PROTECTION DES RENSEIGNEMENTS PERSONNELS,
CAN/CSA-Q830-96
4.1 Principle 1 — Accountability
4.1 Premier principe — Responsabilité
An organization is responsible for personal information under
its control and shall designate an individual or individuals who
are accountable for the organization’s compliance with the
following principles.
Une organisation est responsable des renseignements personnels dont elle a la gestion et doit désigner une ou des personnes
qui devront s’assurer du respect des principes énoncés ci-dessous.
4.1.1
4.1.1
Accountability for the organization’s compliance with the
principles rests with the designated individual(s), even though
other individuals within the organization may be responsible for
the day-to-day collection and processing of personal information. In addition, other individuals within the organization may
be delegated to act on behalf of the designated individual(s).
Il incombe à la ou aux personnes désignées de s’assurer que
l’organisation respecte les principes même si d’autres membres
de l’organisation peuvent être chargés de la collecte et du
traitement quotidiens des renseignements personnels. D’autres
membres de l’organisation peuvent aussi être délégués pour agir
au nom de la ou des personnes désignées.
4.1.2
4.1.2
The identity of the individual(s) designated by the organization to oversee the organization’s compliance with the principles
shall be made known upon request.
Il doit être possible de connaître sur demande l’identité des
personnes que l’organisation a désignées pour s’assurer que les
principes sont respectés.
4.1.3
4.1.3
An organization is responsible for personal information in its
possession or custody, including information that has been
transferred to a third party for processing. The organization shall
use contractual or other means to provide a comparable level of
protection while the information is being processed by a third
party.
Une organisation est responsable des renseignements personnels qu’elle a en sa possession ou sous sa garde, y compris les
renseignements confiés à une tierce partie aux fins de traitement.
L’organisation doit, par voie contractuelle ou autre, fournir un
degré comparable de protection aux renseignements qui sont en
cours de traitement par une tierce partie.
4.1.4
4.1.4
Organizations shall implement policies and practices to give
effect to the principles, including
(a) implementing procedures to protect personal information;
Les organisations doivent assurer la mise en oeuvre des
politiques et des pratiques destinées à donner suite aux principes,
y compris :
a) la mise en oeuvre des procédures pour protéger les
renseignements personnels;
b) la mise en place des procédures pour recevoir les plaintes et
les demandes de renseignements et y donner suite;
(b) establishing procedures to receive and respond to complaints and inquiries;
(c) training staff and communicating to staff information
about the organization’s policies and practices; and
(d) developing information to explain the organization’s
policies and procedures.
c) la formation du personnel et la transmission au personnel de
l’information relative aux politiques et pratiques de l’organisation; et
d) la rédaction des documents explicatifs concernant leurs
politiques et procédures.
1999-2000
Protection des renseignements personnels et documents électroniques — Annexe 1
ch. 5
45
4.2 Principle 2 — Identifying Purposes
4.2 Deuxième principe — Détermination des fins de la
collecte des renseignements
The purposes for which personal information is collected shall
be identified by the organization at or before the time the
information is collected.
Les fins auxquelles des renseignements personnels sont
recueillis doivent être déterminées par l’organisation avant la
collecte ou au moment de celle-ci.
4.2.1
4.2.1
The organization shall document the purposes for which
personal information is collected in order to comply with the
Openness principle (Clause 4.8) and the Individual Access
principle (Clause 4.9).
L’organisation doit documenter les fins auxquelles les renseignements personnels sont recueillis afin de se conformer au
principe de la transparence (article 4.8) et au principe de l’accès
aux renseignements personnels (article 4.9).
4.2.2
4.2.2
Identifying the purposes for which personal information is
collected at or before the time of collection allows organizations
to determine the information they need to collect to fulfil these
purposes. The Limiting Collection principle (Clause 4.4) requires an organization to collect only that information necessary
for the purposes that have been identified.
Le fait de préciser les fins de la collecte de renseignements
personnels avant celle-ci ou au moment de celle-ci permet à
l’organisation de déterminer les renseignements dont elle a
besoin pour réaliser les fins mentionnées. Suivant le principe de
la limitation en matière de collecte (article 4.4), l’organisation ne
doit recueillir que les renseignements nécessaires aux fins
mentionnées.
4.2.3
4.2.3
The identified purposes should be specified at or before the
time of collection to the individual from whom the personal
information is collected. Depending upon the way in which the
information is collected, this can be done orally or in writing. An
application form, for example, may give notice of the purposes.
Il faudrait préciser à la personne auprès de laquelle on recueille
des renseignements, avant la collecte ou au moment de celle-ci,
les fins auxquelles ils sont destinés. Selon la façon dont se fait la
collecte, cette précision peut être communiquée de vive voix ou
par écrit. Par exemple, on peut indiquer ces fins sur un formulaire
de demande de renseignements.
4.2.4
4.2.4
When personal information that has been collected is to be
used for a purpose not previously identified, the new purpose
shall be identified prior to use. Unless the new purpose is required
by law, the consent of the individual is required before
information can be used for that purpose. For an elaboration on
consent, please refer to the Consent principle (Clause 4.3).
Avant de se servir de renseignements personnels à des fins non
précisées antérieurement, les nouvelles fins doivent être précisées avant l’utilisation. À moins que les nouvelles fins auxquelles
les renseignements sont destinés ne soient prévues par une loi, il
faut obtenir le consentement de la personne concernée avant
d’utiliser les renseignements à cette nouvelle fin. Pour obtenir
plus de précisions sur le consentement, se reporter au principe du
consentement (article 4.3).
4.2.5
4.2.5
Persons collecting personal information should be able to
explain to individuals the purposes for which the information is
being collected.
Les personnes qui recueillent des renseignements personnels
devraient être en mesure d’expliquer à la personne concernée à
quelles fins sont destinés ces renseignements.
4.2.6
4.2.6
This principle is linked closely to the Limiting Collection
principle (Clause 4.4) and the Limiting Use, Disclosure, and
Retention principle (Clause 4.5).
Ce principe est étroitement lié au principe de la limitation de
la collecte (article 4.4) et à celui de la limitation de l’utilisation,
de la communication et de la conservation (article 4.5).
46
C. 5
48-49 ELIZ. II
4.3 Principle 3 — Consent
4.3 Troisième principe — Consentement
The knowledge and consent of the individual are required for
the collection, use, or disclosure of personal information, except
where inappropriate.
Note: In certain circumstances personal information can be
collected, used, or disclosed without the knowledge and consent
of the individual. For example, legal, medical, or security reasons
may make it impossible or impractical to seek consent. When
information is being collected for the detection and prevention of
fraud or for law enforcement, seeking the consent of the
individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when
the individual is a minor, seriously ill, or mentally incapacitated.
In addition, organizations that do not have a direct relationship
with the individual may not always be able to seek consent. For
example, seeking consent may be impractical for a charity or a
direct-marketing firm that wishes to acquire a mailing list from
another organization. In such cases, the organization providing
the list would be expected to obtain consent before disclosing
personal information.
Toute personne doit être informée de toute collecte, utilisation
ou communication de renseignements personnels qui la concernent et y consentir, à moins qu’il ne soit pas approprié de le faire.
Note : Dans certaines circonstances, il est possible de recueillir, d’utiliser et de communiquer des renseignements à l’insu de
la personne concernée et sans son consentement. Par exemple,
pour des raisons d’ordre juridique ou médical ou pour des raisons
de sécurité, il peut être impossible ou peu réaliste d’obtenir le
consentement de la personne concernée. Lorsqu’on recueille des
renseignements aux fins du contrôle d’application de la loi, de la
détection d’une fraude ou de sa prévention, on peut aller à
l’encontre du but visé si l’on cherche à obtenir le consentement
de la personne concernée. Il peut être impossible ou inopportun
de chercher à obtenir le consentement d’un mineur, d’une
personne gravement malade ou souffrant d’incapacité mentale.
De plus, les organisations qui ne sont pas en relation directe avec
la personne concernée ne sont pas toujours en mesure d’obtenir
le consentement prévu. Par exemple, il peut être peu réaliste pour
une oeuvre de bienfaisance ou une entreprise de marketing direct
souhaitant acquérir une liste d’envoi d’une autre organisation de
chercher à obtenir le consentement des personnes concernées. On
s’attendrait, dans de tels cas, à ce que l’organisation qui fournit
la liste obtienne le consentement des personnes concernées avant
de communiquer des renseignements personnels.
4.3.1
4.3.1
Consent is required for the collection of personal information
and the subsequent use or disclosure of this information.
Typically, an organization will seek consent for the use or
disclosure of the information at the time of collection. In certain
circumstances, consent with respect to use or disclosure may be
sought after the information has been collected but before use
(for example, when an organization wants to use information for
a purpose not previously identified).
Il faut obtenir le consentement de la personne concernée avant
de recueillir des renseignements personnels à son sujet et
d’utiliser ou de communiquer les renseignements recueillis.
Généralement, une organisation obtient le consentement des
personnes concernées relativement à l’utilisation et à la communication des renseignements personnels au moment de la
collecte. Dans certains cas, une organisation peut obtenir le
consentement concernant l’utilisation ou la communication des
renseignements après avoir recueilli ces renseignements, mais
avant de s’en servir, par exemple, quand elle veut les utiliser à des
fins non précisées antérieurement.
4.3.2
4.3.2
The principle requires ‘‘knowledge and consent’’. Organizations shall make a reasonable effort to ensure that the individual
is advised of the purposes for which the information will be used.
To make the consent meaningful, the purposes must be stated in
such a manner that the individual can reasonably understand how
the information will be used or disclosed.
Suivant ce principe, il faut informer la personne au sujet de
laquelle on recueille des renseignements et obtenir son consentement. Les organisations doivent faire un effort raisonnable pour
s’assurer que la personne est informée des fins auxquelles les
renseignements seront utilisés. Pour que le consentement soit
valable, les fins doivent être énoncées de façon que la personne
puisse raisonnablement comprendre de quelle manière les
renseignements seront utilisés ou communiqués.
4.3.3
4.3.3
An organization shall not, as a condition of the supply of a
product or service, require an individual to consent to the
collection, use, or disclosure of information beyond that required
to fulfil the explicitly specified, and legitimate purposes.
Une organisation ne peut pas, pour le motif qu’elle fournit un
bien ou un service, exiger d’une personne qu’elle consente à la
collecte, à l’utilisation ou à la communication de renseignements
autres que ceux qui sont nécessaires pour réaliser les fins
légitimes et explicitement indiquées.
1999-2000
ch. 5
47
4.3.4
4.3.4
The form of the consent sought by the organization may vary,
depending upon the circumstances and the type of information.
In determining the form of consent to use, organizations shall
take into account the sensitivity of the information. Although
some information (for example, medical records and income
records) is almost always considered to be sensitive, any
information can be sensitive, depending on the context. For
example, the names and addresses of subscribers to a newsmagazine would generally not be considered sensitive information.
However, the names and addresses of subscribers to some
special-interest magazines might be considered sensitive.
La forme du consentement que l’organisation cherche à
obtenir peut varier selon les circonstances et la nature des
renseignements. Pour déterminer la forme que prendra le
consentement, les organisations doivent tenir compte de la
sensibilité des renseignements. Si certains renseignements sont
presque toujours considérés comme sensibles, par exemple les
dossiers médicaux et le revenu, tous les renseignements peuvent
devenir sensibles suivant le contexte. Par exemple, les nom et
adresse des abonnés d’une revue d’information ne seront
généralement pas considérés comme des renseignements sensibles. Toutefois, les nom et adresse des abonnés de certains
périodiques spécialisés pourront l’être.
4.3.5
4.3.5
In obtaining consent, the reasonable expectations of the
individual are also relevant. For example, an individual buying
a subscription to a magazine should reasonably expect that the
organization, in addition to using the individual’s name and
address for mailing and billing purposes, would also contact the
person to solicit the renewal of the subscription. In this case, the
organization can assume that the individual’s request constitutes
consent for specific purposes. On the other hand, an individual
would not reasonably expect that personal information given to
a health-care professional would be given to a company selling
health-care products, unless consent were obtained. Consent
shall not be obtained through deception.
Dans l’obtention du consentement, les attentes raisonnables
de la personne sont aussi pertinentes. Par exemple, une personne
qui s’abonne à un périodique devrait raisonnablement s’attendre
à ce que l’entreprise, en plus de se servir de son nom et de son
adresse à des fins de postage et de facturation, communique avec
elle pour lui demander si elle désire que son abonnement soit
renouvelé. Dans ce cas, l’organisation peut présumer que la
demande de la personne constitue un consentement à ces fins
précises. D’un autre côté, il n’est pas raisonnable qu’une
personne s’attende à ce que les renseignements personnels
qu’elle fournit à un professionnel de la santé soient donnés sans
son consentement à une entreprise qui vend des produits de soins
de santé. Le consentement ne doit pas être obtenu par un
subterfuge.
4.3.6
4.3.6
The way in which an organization seeks consent may vary,
depending on the circumstances and the type of information
collected. An organization should generally seek express consent
when the information is likely to be considered sensitive. Implied
consent would generally be appropriate when the information is
less sensitive. Consent can also be given by an authorized
representative (such as a legal guardian or a person having power
of attorney).
La façon dont une organisation obtient le consentement peut
varier selon les circonstances et la nature des renseignements
recueillis. En général, l’organisation devrait chercher à obtenir
un consentement explicite si les renseignements sont susceptibles d’être considérés comme sensibles. Lorsque les renseignements sont moins sensibles, un consentement implicite serait
normalement jugé suffisant. Le consentement peut également
être donné par un représentant autorisé (détenteur d’une procuration, tuteur).
4.3.7
4.3.7
Individuals can give consent in many ways. For example:
(a) an application form may be used to seek consent, collect
information, and inform the individual of the use that will be
made of the information. By completing and signing the form,
the individual is giving consent to the collection and the
specified uses;
(b) a checkoff box may be used to allow individuals to request
that their names and addresses not be given to other
organizations. Individuals who do not check the box are
assumed to consent to the transfer of this information to third
parties;
Le consentement peut revêtir différentes formes, par exemple :
a) on peut se servir d’un formulaire de demande de renseignements pour obtenir le consentement, recueillir des renseignements et informer la personne de l’utilisation qui sera faite des
renseignements. En remplissant le formulaire et en le signant,
la personne donne son consentement à la collecte de renseignements et aux usages précisés;
b) on peut prévoir une case où la personne pourra indiquer en
cochant qu’elle refuse que ses nom et adresse soient communiqués à d’autres organisations. Si la personne ne coche pas la
48
C. 5
48-49 ELIZ. II
(c) consent may be given orally when information is collected
over the telephone; or
case, il sera présumé qu’elle consent à ce que les renseignements soient communiqués à des tiers;
(d) consent may be given at the time that individuals use a
product or service.
c) le consentement peut être donné de vive voix lorsque les
renseignements sont recueillis par téléphone; ou
d) le consentement peut être donné au moment où le produit
ou le service est utilisé.
4.3.8
4.3.8
An individual may withdraw consent at any time, subject to
legal or contractual restrictions and reasonable notice. The
organization shall inform the individual of the implications of
such withdrawal.
Une personne peut retirer son consentement en tout temps,
sous réserve de restrictions prévues par une loi ou un contrat et
d’un préavis raisonnable. L’organisation doit informer la personne des conséquences d’un tel retrait.
4.4 Principle 4 — Limiting Collection
4.4 Quatrième principe — Limitation de la collecte
The collection of personal information shall be limited to that
which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
L’organisation ne peut recueillir que les renseignements
personnels nécessaires aux fins déterminées et doit procéder de
façon honnête et licite.
4.4.1
4.4.1
Organizations shall not collect personal information indiscriminately. Both the amount and the type of information
collected shall be limited to that which is necessary to fulfil the
purposes identified. Organizations shall specify the type of
information collected as part of their information-handling
policies and practices, in accordance with the Openness principle
(Clause 4.8).
Les organisations ne doivent pas recueillir des renseignements
de façon arbitraire. On doit restreindre tant la quantité que la
nature des renseignements recueillis à ce qui est nécessaire pour
réaliser les fins déterminées. Conformément au principe de la
transparence (article 4.8), les organisations doivent préciser la
nature des renseignements recueillis comme partie intégrante de
leurs politiques et pratiques concernant le traitement des renseignements.
4.4.2
4.4.2
The requirement that personal information be collected by fair
and lawful means is intended to prevent organizations from
collecting information by misleading or deceiving individuals
about the purpose for which information is being collected. This
requirement implies that consent with respect to collection must
not be obtained through deception.
L’exigence selon laquelle les organisations sont tenues de
recueillir des renseignements personnels de façon honnête et
licite a pour objet de les empêcher de tromper les gens et de les
induire en erreur quant aux fins auxquelles les renseignements
sont recueillis. Cette obligation suppose que le consentement à la
collecte de renseignements ne doit pas être obtenu par un
subterfuge.
4.4.3
4.4.3
This principle is linked closely to the Identifying Purposes
principle (Clause 4.2) and the Consent principle (Clause 4.3).
Ce principe est étroitement lié au principe de détermination
des fins auxquelles la collecte est destinée (article 4.2) et à celui
du consentement (article 4.3).
4.5 Principle 5 — Limiting Use, Disclosure, and Retention
4.5 Cinquième principe — Limitation de l’utilisation, de
la communication et de la conservation
Personal information shall not be used or disclosed for
purposes other than those for which it was collected, except with
the consent of the individual or as required by law. Personal
information shall be retained only as long as necessary for the
fulfilment of those purposes.
Les renseignements personnels ne doivent pas être utilisés ou
communiqués à des fins autres que celles auxquelles ils ont été
recueillis à moins que la personne concernée n’y consente ou que
la loi ne l’exige. On ne doit conserver les renseignements
personnels qu’aussi longtemps que nécessaire pour la réalisation
des fins déterminées.
1999-2000
ch. 5
49
4.5.1
4.5.1
Organizations using personal information for a new purpose
shall document this purpose (see Clause 4.2.1).
Les organisations qui se servent de renseignements personnels
à des fins nouvelles doivent documenter ces fins (voir article
4.2.1).
4.5.2
4.5.2
Organizations should develop guidelines and implement
procedures with respect to the retention of personal information.
These guidelines should include minimum and maximum
retention periods. Personal information that has been used to
make a decision about an individual shall be retained long
enough to allow the individual access to the information after the
decision has been made. An organization may be subject to
legislative requirements with respect to retention periods.
Les organisations devraient élaborer des lignes directrices et
appliquer des procédures pour la conservation des renseignements personnels. Ces lignes directrices devraient préciser les
durées minimales et maximales de conservation. On doit
conserver les renseignements personnels servant à prendre une
décision au sujet d’une personne suffisamment longtemps pour
permettre à la personne concernée d’exercer son droit d’accès à
l’information après que la décision a été prise. Une organisation
peut être assujettie à des exigences prévues par la loi en ce qui
concerne les périodes de conservation.
4.5.3
4.5.3
Personal information that is no longer required to fulfil the
identified purposes should be destroyed, erased, or made
anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
On devrait détruire, effacer ou dépersonnaliser les renseignements personnels dont on n’a plus besoin aux fins précisées. Les
organisations doivent élaborer des lignes directrices et appliquer
des procédures régissant la destruction des renseignements
personnels.
4.5.4
4.5.4
This principle is closely linked to the Consent principle
(Clause 4.3), the Identifying Purposes principle (Clause 4.2), and
the Individual Access principle (Clause 4.9).
Ce principe est étroitement lié au principe du consentement
(article 4.3), à celui de la détermination des fins auxquelles la
collecte est destinée (article 4.2), ainsi qu’à celui de l’accès
individuel (article 4.9).
4.6 Principle 6 — Accuracy
4.6 Sixième principe — Exactitude
Personal information shall be as accurate, complete, and
up-to-date as is necessary for the purposes for which it is to be
used.
Les renseignements personnels doivent être aussi exacts,
complets et à jour que l’exigent les fins auxquelles ils sont
destinés.
4.6.1
4.6.1
The extent to which personal information shall be accurate,
complete, and up-to-date will depend upon the use of the
information, taking into account the interests of the individual.
Information shall be sufficiently accurate, complete, and up-todate to minimize the possibility that inappropriate information
may be used to make a decision about the individual.
Le degré d’exactitude et de mise à jour ainsi que le caractère
complet des renseignements personnels dépendront de l’usage
auquel ils sont destinés, compte tenu des intérêts de la personne.
Les renseignements doivent être suffisamment exacts, complets
et à jour pour réduire au minimum la possibilité que des
renseignements inappropriés soient utilisés pour prendre une
décision à son sujet.
4.6.2
4.6.2
An organization shall not routinely update personal information, unless such a process is necessary to fulfil the purposes for
which the information was collected.
Une organisation ne doit pas systématiquement mettre à jour
les renseignements personnels à moins que cela ne soit nécessaire
pour atteindre les fins auxquelles ils ont été recueillis.
50
C. 5
48-49 ELIZ. II
4.6.3
4.6.3
Personal information that is used on an ongoing basis,
including information that is disclosed to third parties, should
generally be accurate and up-to-date, unless limits to the
requirement for accuracy are clearly set out.
Les renseignements personnels qui servent en permanence, y
compris les renseignements qui sont communiqués à des tiers,
devraient normalement être exacts et à jour à moins que des
limites se rapportant à l’exactitude de ces renseignements ne
soient clairement établies.
4.7 Principle 7 — Safeguards
4.7 Septième principe — Mesures de sécurité
Personal information shall be protected by security safeguards
appropriate to the sensitivity of the information.
Les renseignements personnels doivent être protégés au
moyen de mesures de sécurité correspondant à leur degré de
sensibilité.
4.7.1
4.7.1
The security safeguards shall protect personal information
against loss or theft, as well as unauthorized access, disclosure,
copying, use, or modification. Organizations shall protect
personal information regardless of the format in which it is held.
Les mesures de sécurité doivent protéger les renseignements
personnels contre la perte ou le vol ainsi que contre la
consultation, la communication, la copie, l’utilisation ou la
modification non autorisées. Les organisations doivent protéger
les renseignements personnels quelle que soit la forme sous
laquelle ils sont conservés.
4.7.2
4.7.2
The nature of the safeguards will vary depending on the
sensitivity of the information that has been collected, the amount,
distribution, and format of the information, and the method of
storage. More sensitive information should be safeguarded by a
higher level of protection. The concept of sensitivity is discussed
in Clause 4.3.4.
La nature des mesures de sécurité variera en fonction du degré
de sensibilité des renseignements personnels recueillis, de la
quantité, de la répartition et du format des renseignements
personnels ainsi que des méthodes de conservation. Les renseignements plus sensibles devraient être mieux protégés. La notion
de sensibilité est présentée à l’article 4.3.4.
4.7.3
4.7.3
The methods of protection should include
Les méthodes de protection devraient comprendre :
(a) physical measures, for example, locked filing cabinets and
restricted access to offices;
a) des moyens matériels, par exemple le verrouillage des
classeurs et la restriction de l’accès aux bureaux;
(b) organizational measures, for example, security clearances
and limiting access on a ‘‘need-to-know’’ basis; and
b) des mesures administratives, par exemple des autorisations
sécuritaires et un accès sélectif; et
(c) technological measures, for example, the use of passwords
and encryption.
c) des mesures techniques, par exemple l’usage de mots de
passe et du chiffrement.
4.7.4
4.7.4
Organizations shall make their employees aware of the
importance of maintaining the confidentiality of personal
information.
Les organisations doivent sensibiliser leur personnel à l’importance de protéger le caractère confidentiel des renseignements
personnels.
4.7.5
4.7.5
Care shall be used in the disposal or destruction of personal
information, to prevent unauthorized parties from gaining access
to the information (see Clause 4.5.3).
Au moment du retrait ou de la destruction des renseignements
personnels, on doit veiller à empêcher les personnes non
autorisées d’y avoir accès (article 4.5.3)
1999-2000
ch. 5
51
4.8 Principle 8 — Openness
4.8 Huitième principe — Transparence
An organization shall make readily available to individuals
specific information about its policies and practices relating to
the management of personal information.
Une organisation doit faire en sorte que des renseignements
précis sur ses politiques et ses pratiques concernant la gestion des
renseignements personnels soient facilement accessibles à toute
personne.
4.8.1
4.8.1
Organizations shall be open about their policies and practices
with respect to the management of personal information.
Individuals shall be able to acquire information about an
organization’s policies and practices without unreasonable
effort. This information shall be made available in a form that is
generally understandable.
Les organisations doivent faire preuve de transparence au
sujet de leurs politiques et pratiques concernant la gestion des
renseignements personnels. Une personne doit pouvoir obtenir
sans efforts déraisonnables de l’information au sujet des politiques et des pratiques d’une organisation. Ces renseignements
doivent être fournis sous une forme généralement compréhensible.
4.8.2
4.8.2
The information made available shall include
Les renseignements fournis doivent comprendre :
(a) the name or title, and the address, of the person who is
accountable for the organization’s policies and practices and
to whom complaints or inquiries can be forwarded;
a) le nom ou la fonction de même que l’adresse de la personne
responsable de la politique et des pratiques de l’organisation
et à qui il faut acheminer les plaintes et les demandes de
renseignements;
(b) the means of gaining access to personal information held
by the organization;
b) la description du moyen d’accès aux renseignements
personnels que possède l’organisation;
(c) a description of the type of personal information held by
the organization, including a general account of its use;
c) la description du genre de renseignements personnels que
possède l’organisation, y compris une explication générale de
l’usage auquel ils sont destinés;
(d) a copy of any brochures or other information that explain
the organization’s policies, standards, or codes; and
(e) what personal information is made available to related
organizations (e.g., subsidiaries).
d) une copie de toute brochure ou autre document d’information expliquant la politique, les normes ou les codes de
l’organisation; et
e) la définition de la nature des renseignements personnels
communiqués aux organisations connexes (par exemple, les
filiales).
4.8.3
4.8.3
An organization may make information on its policies and
practices available in a variety of ways. The method chosen
depends on the nature of its business and other considerations.
For example, an organization may choose to make brochures
available in its place of business, mail information to its
customers, provide online access, or establish a toll-free telephone number.
Une organisation peut rendre l’information concernant sa
politique et ses pratiques accessibles de diverses façons. La
méthode choisie est fonction de la nature des activités de
l’organisation et d’autres considérations. Par exemple, une
organisation peut offrir des brochures à son établissement, poster
des renseignements à ses clients, offrir un accès en ligne ou établir
un numéro de téléphone sans frais.
4.9 Principle 9 — Individual Access
4.9 Neuvième principe — Accès aux renseignements personnels
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and
shall be given access to that information. An individual shall be
able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Une organisation doit informer toute personne qui en fait la
demande de l’existence de renseignements personnels qui la
concernent, de l’usage qui en est fait et du fait qu’ils ont été
communiqués à des tiers, et lui permettre de les consulter. Il sera
aussi possible de contester l’exactitude et l’intégralité des
renseignements et d’y faire apporter les corrections appropriées.
52
C. 5
48-49 ELIZ. II
Note: In certain situations, an organization may not be able to
provide access to all the personal information it holds about an
individual. Exceptions to the access requirement should be
limited and specific. The reasons for denying access should be
provided to the individual upon request. Exceptions may include
information that is prohibitively costly to provide, information
that contains references to other individuals, information that
cannot be disclosed for legal, security, or commercial proprietary
reasons, and information that is subject to solicitor-client or
litigation privilege.
Note : Dans certains cas, il peut être impossible à une
organisation de communiquer tous les renseignements personnels qu’elle possède au sujet d’une personne. Les exceptions aux
exigences en matière d’accès aux renseignements personnels
devraient être restreintes et précises. On devrait informer la
personne, sur demande, des raisons pour lesquelles on lui refuse
l’accès aux renseignements. Ces raisons peuvent comprendre le
coût exorbitant de la fourniture de l’information, le fait que les
renseignements personnels contiennent des détails sur d’autres
personnes, l’existence de raisons d’ordre juridique, de raisons de
sécurité ou de raisons d’ordre commercial exclusives et le fait que
les renseignements sont protégés par le secret professionnel ou
dans le cours d’une procédure de nature judiciaire.
4.9.1
4.9.1
Upon request, an organization shall inform an individual
whether or not the organization holds personal information about
the individual. Organizations are encouraged to indicate the
source of this information. The organization shall allow the
individual access to this information. However, the organization
may choose to make sensitive medical information available
through a medical practitioner. In addition, the organization shall
provide an account of the use that has been made or is being made
of this information and an account of the third parties to which
it has been disclosed.
Une organisation doit informer la personne qui en fait la
demande du fait qu’elle possède des renseignements personnels
à son sujet, le cas échéant. Les organisations sont invitées à
indiquer la source des renseignements. L’organisation doit
permettre à la personne concernée de consulter ces renseignements. Dans le cas de renseignements médicaux sensibles,
l’organisation peut préférer que ces renseignements soient
communiqués par un médecin. En outre, l’organisation doit
informer la personne concernée de l’usage qu’elle fait ou a fait
des renseignements et des tiers à qui ils ont été communiqués.
4.9.2
4.9.2
An individual may be required to provide sufficient information to permit an organization to provide an account of the
existence, use, and disclosure of personal information. The
information provided shall only be used for this purpose.
Une organisation peut exiger que la personne concernée lui
fournisse suffisamment de renseignements pour qu’il lui soit
possible de la renseigner sur l’existence, l’utilisation et la
communication de renseignements personnels. L’information
ainsi fournie doit servir à cette seule fin.
4.9.3
4.9.3
In providing an account of third parties to which it has
disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not
possible to provide a list of the organizations to which it has
actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have
disclosed information about the individual.
L’organisation qui fournit le relevé des tiers à qui elle a
communiqué des renseignements personnels au sujet d’une
personne devrait être la plus précise possible. S’il lui est
impossible de fournir une liste des organisations à qui elle a
effectivement communiqué des renseignements au sujet d’une
personne, l’organisation doit fournir une liste des organisations
à qui elle pourrait avoir communiqué de tels renseignements.
4.9.4
4.9.4
An organization shall respond to an individual’s request
within a reasonable time and at minimal or no cost to the
individual. The requested information shall be provided or made
available in a form that is generally understandable. For example,
if the organization uses abbreviations or codes to record
information, an explanation shall be provided.
Une organisation qui reçoit une demande de communication
de renseignements doit répondre dans un délai raisonnable et ne
peut exiger, pour ce faire, que des droits minimes. Les renseignements demandés doivent être fournis sous une forme généralement compréhensible. Par exemple, l’organisation qui se sert
d’abréviations ou de codes pour l’enregistrement des renseignements doit fournir les explications nécessaires.
1999-2000
ch. 5
53
4.9.5
4.9.5
When an individual successfully demonstrates the inaccuracy
or incompleteness of personal information, the organization shall
amend the information as required. Depending upon the nature
of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the
amended information shall be transmitted to third parties having
access to the information in question.
Lorsqu’une personne démontre que des renseignements
personnels sont inexacts ou incomplets, l’organisation doit
apporter les modifications nécessaires à ces renseignements.
Selon la nature des renseignements qui font l’objet de la
contestation, l’organisation doit corriger, supprimer ou ajouter
des renseignements. S’il y a lieu, l’information modifiée doit être
communiquée à des tiers ayant accès à l’information en question.
4.9.6
4.9.6
When a challenge is not resolved to the satisfaction of the
individual, the substance of the unresolved challenge shall be
recorded by the organization. When appropriate, the existence of
the unresolved challenge shall be transmitted to third parties
having access to the information in question.
Lorsqu’une contestation n’est pas réglée à la satisfaction de
personne concernée, l’organisation prend note de l’objet de
contestation. S’il y a lieu, les tierces parties ayant accès
l’information en question doivent être informées du fait que
contestation n’a pas été réglée.
4.10 Principle 10 — Challenging Compliance
4.10 Dixième principe — Possibilité de porter plainte à
l’égard du non-respect des principes
An individual shall be able to address a challenge concerning
compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
Toute personne doit être en mesure de se plaindre du
non-respect des principes énoncés ci-dessus en communiquant
avec le ou les personnes responsables de les faire respecter au sein
de l’organisation concernée.
4.10.1
4.10.1
The individual accountable for an organization’s compliance
is discussed in Clause 4.1.1.
La question de la désignation de la personne responsable du
respect des principes dans l’organisation fait l’objet de l’article
4.1.1.
4.10.2
4.10.2
Organizations shall put procedures in place to receive and
respond to complaints or inquiries about their policies and
practices relating to the handling of personal information. The
complaint procedures should be easily accessible and simple to use.
Les organisations doivent établir des procédures pour recevoir
les plaintes et les demandes de renseignements concernant leurs
politiques et pratiques de gestion des renseignements personnels
et y donner suite. Les procédures relatives aux plaintes devraient
être facilement accessibles et simples à utiliser.
4.10.3
4.10.3
Organizations shall inform individuals who make inquiries or
lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist. For example, some
regulatory bodies accept complaints about the personal-information handling practices of the companies they regulate.
Les organisations doivent informer les personnes qui présentent une demande de renseignements ou déposent une plainte de
l’existence des procédures pertinentes. Il peut exister un éventail
de ces procédures. Par exemple, certaines autorités réglementaires acceptent les plaintes concernant les pratiques de gestion des
renseignements personnels des entreprises relevant de leur
compétence.
4.10.4
4.10.4
An organization shall investigate all complaints. If a complaint is found to be justified, the organization shall take
appropriate measures, including, if necessary, amending its
policies and practices.
Une organisation doit faire enquête sur toutes les plaintes. Si
une plainte est jugée fondée, l’organisation doit prendre les
mesures appropriées, y compris la modification de ses politiques
et de ses pratiques au besoin.
la
la
à
la
54
C. 5
SCHEDULE 2
(Sections 38 to 47, 49 and 51)
ANNEXE 2
(articles 38 à 47, 49 et 51)
ACTS OF PARLIAMENT
LOIS FÉDÉRALES
48-49 ELIZ. II
1999-2000
ch. 5
SCHEDULE 3
(Sections 38 to 47, 49 and 51)
ANNEXE 3
(articles 38 à 47, 49 et 51)
REGULATIONS AND OTHER INSTRUMENTS
RÈGLEMENTS ET AUTRES TEXTES
Published under authority of the Speaker of the House of Commons
Publié avec l’autorisation du président de la Chambre des communes
Available from:
Public Works and Government Services Canada — Publishing,
Ottawa, Canada K1A 0S9
En vente:
Travaux publics et Services gouvernementaux Canada — Édition,
55
MāāAā Iā L
PāOāSāTāE
Canada Post Corporation/Société canadienne des postes
Postage paid
Port payé
Lettermail
Poste-lettre
03159442
Ottawa
If undelivered, return COVER ONLY to:
Canadian Government Publishing
45 Sacré-Coeur Boulevard,
Hull, Québec, Canada, K1A 0S9
En cas de non-livraison,
retourner cette COUVERTURE SEULEMENT à:
Les Éditions du gouvernement du Canada
45 Boulevard Sacré-Coeur,
Hull, Québec, Canada, K1A 0S9
_________________________________________________________________________________________________________________________
Available from:
En vente:
Public Works and Government Services Canada Ċ Publishing,
Travaux publics et Services gouvernementaux Canada Ċ Édition,
Office of the
Privacy Commissioner
of Canada
Commissariat
à la protection de
la vie privée du Canada
A GUIDE FOR CANADIANS
Your Privacy
Rights
Canada’s Personal
Information Protection and
Electronic Documents Act
privacy
A Word from the Privacy
Commissioner of Canada
T
he right to privacy is fundamental to any
democratic society. If we have to worry –
every time we open a bank account, use
the Internet, make a purchase in a store or fill out
a form – about who will see our personal information and how it will be used, we have lost a
basic freedom.
George Radwanski
Protecting our privacy helps protect our
Privacy Commissioner of Canada
independence, our ability to control our own lives,
and our freedom to make our own decisions. Having control of our
personal information is key to our privacy: the more others know about
the details of our lives, the greater their opportunity to influence, interfere
with or judge the choices we make.
Advances in information technology and data management offer the
promise of a new and prosperous knowledge-based economy. But this
technology also poses a serious threat to our privacy. New communications
and information systems allow organizations to gather, match, share and
transmit growing quantities of information about us with unprecedented
speed and efficiency.
Finding a balance between the legitimate need of organizations to collect
information about us and the necessity to protect our privacy is a major
challenge. Canada’s Parliament responded to this challenge by passing a
new law that applies to the private sector called the Personal Information
Protection and Electronic Documents Act, which came into effect
January 1, 2001.
My Office has prepared this brochure to answer some of the common
questions Canadians may have about the new law and how to exercise
their right to privacy.
George Radwanski
What is the Personal Information
Protection and Electronic
Documents Act?
P
art 1 of the Personal Information Protection and Electronic
Documents Act sets down the ground rules for how
organizations may collect, use or disclose information
about you in the course of commercial activities.The law
gives you the right to see and ask for corrections to information an organization may have collected about you. If you
think an organization covered by the Act is not living up to
its responsibilities under the law, you have the right to lodge
an official complaint.
What is personal information?
“Personal information”under the Act means information
about an “identifiable individual”.
For example,“personal information”includes your
■
■
■
■
■
■
■
■
name, age, weight, height
medical records
income, purchases and spending habits
race, ethnic origin and colour
blood type, DNA code, fingerprints
marital status and religion
education
home address and phone number
“Personal information”does not include the name,
job title, business address or office telephone number
of an employee of an organization that is covered by
the new law.
How does the Act protect my
Your ability to control your personal information is key to your
right to privacy.
The Act gives you control over your personal information by
requiring organizations to obtain your consent to collect, use
or disclose information about you.The Act confers certain
rights on individuals, and imposes specific obligations on
organizations.
The law gives you the right to:
■
■
■
■
■
■
■
know why an organization collects, uses or discloses your
personal information;*
expect an organization to collect, use or disclose your
personal information reasonably and appropriately, and
not use the information for any purpose other than that
to which you have consented;*
know who in the organization is responsible for protecting
your personal information;
expect an organization to protect your personal information by taking appropriate security measures;
expect the personal information an organization holds
about you to be accurate, complete and up-to-date;
obtain access to your personal information and ask
for corrections;*
complain about how an organization handles your
personal information.
The law requires organizations to:
■
■
■
■
obtain your consent when they collect, use or disclose
your personal information;*
supply you with a product or a service even if you refuse
consent for the collection, use or disclosure of your
personal information unless the information is essential
to the transaction;*
collect information by fair and lawful means;
have personal information policies that are clear,
understandable and readily available.
An organization should destroy, erase or make anonymous
personal information about you that it no longer needs in
order to fulfil the purpose for which it was collected.
*There are exceptions to these principles. For example:
an organization may not need to obtain your consent if
collecting the information clearly benefits you and your
consent cannot be obtained in a timely way; or if the
information is needed by a law enforcement agency for an
investigation, and getting consent might compromise the
information’s accuracy.
How can I see the personal information
an organization has about me?
■
■
Send a written request to the organization holding your
personal information.You must provide enough detail to
allow the organization to identify the information you
want; for example, include dates, account numbers,
and the names or positions of people you may have dealt
with at the organization.
Organizations must provide the information requested
within a reasonable time and at minimal or no cost.
. . . over for more information
How can I correct errors or omissions
in my personal information?
■
■
Write to the organization that has personal information
about you and explain the correction you are requesting
and why. Supply copies of any documents that support
your request, if you have them.
If the organization refuses to correct your personal
information, you may require it to attach a statement of
your disagreement to the file.This statement must be
passed on to any other organization that may have access
to the information.
What if I believe my privacy rights
are being abused?
The Act gives you the right to make a complaint if:
■ you run into any difficulties obtaining your personal
information, if an organization refuses to correct information you consider inaccurate or incomplete, or if you
suspect your personal information has been improperly
collected, used or disclosed;
■ you believe an organization is not following any provision
of the law.
Where do I complain?
■
■
■
■
Contact the Office of the Privacy Commissioner of
Canada during business hours by calling 1 800 282-1376
if you need more information and advice on how you
should proceed.
We encourage you to try to settle the matter directly with
the organization about which you are complaining by
contacting the person responsible for handling privacy
issues within the organization.
If you are not satisfied with the organization’s response,
you may contact the organization’s industry association,
ombudsman or complaint office, if there is one. For example, the Canadian Marketing Association and the Canadian
Banking Ombudsman handle customers’ complaints about
their member companies.
If you are not satisfied with the way the organization or
industry association handles the matter, contact the Privacy
Commissioner of Canada.There is no fee for making a
complaint to Privacy Commissioner.
What is the role of the Privacy
Commissioner of Canada?
■
■
■
■
■
■
The Privacy Commissioner is an ombudsman who attempts
to resolve disputes through negotiation.
The Commissioner has the power to investigate your
complaint.
The Commissioner may also initiate his own investigation
or review how an organization handles personal information.
The Commissioner can recommend that the organization
release your personal information to you or correct
inaccuracies.
The Commissioner can recommend that organizations
change their personal information practices.
The Commissioner will report the findings of the
investigation to you and the organization.
What if the organization ignores the
recommendations of the Privacy
Commissioner?
■
■
■
■
■
The Privacy Commissioner has the power to make public
any information about the personal information practices
of an organization. Few businesses would like to be publicly
identified as violating the privacy rights of individuals.
The Privacy Commissioner may also take the complaint to
the Federal Court of Canada on your behalf if he supports
you but has been unable to resolve the dispute.
Once you have received the Privacy Commissioner’s report,
you may, under certain circumstances, take your complaint
to the Federal Court of Canada yourself.
The Court can order an organization to correct any
practices that do not comply with the law, and to publish
notices of how it has or will correct its practices.
The Court can also award damages to the complainant
including damages for humiliation suffered.
What is NOT COVERED by the Personal
Information Protection and Electronic
Documents Act?
■
■
■
■
Any federal government organization already covered
by the Privacy Act.
Provincial or territorial governments, and their agents.
Any organization that collects, uses or discloses personal
information solely for journalistic, artistic or literary
purposes.
An individual’s collection, use or disclosure of personal
information for personal purposes, such as genealogical
research shared with other
family members.
When does the Act come into force?
The Act takes effect in three stages spread over three years.
January 1, 2001
At this stage, the Act applies to personal information about
customers or employees (except “personal health information”) that is collected, used or disclosed by “federal works,
undertakings or businesses”in the course of commercial
activities.
(Federal works, undertakings and businesses include
organizations such as the banks, telephone companies,
cable television and broadcasting companies, firms engaged
in interprovincial transportation, and air carriers.)
The Act also applies to personal information that is shared or
disclosed for profit or any kind of benefit across the borders
of Canada or a province, where the information itself is the
subject of the transaction.
The Act also covers all businesses and organizations engaged
in commercial activity in Yukon, the Northwest Territories and
Nunavut.
January 1, 2002
The Act will cover any “personal health information”collected
by those organizations mentioned in the first stage. Personal
health information is information about an individual’s mental
or physical health, including details about any tests, examinations and health services provided.
January 1, 2004
The Act will cover the collection, use or disclosure of personal
information in the course of any commercial activity within a
province, including provincially regulated enterprises such as
retail stores.The federal government may exempt organizations and/or activities in provinces that have their own privacy
laws that are substantially similar to the federal law.
The Act will apply to all personal information in all interprovincial and international transactions by all organizations in the
course of their commercial activities.
F O R M O R E I N F O R M AT I O N
If you have any questions about how a private sector organization handles your personal information or wish to make a
complaint under the new law, please contact our office.
The Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario K1A 1H3
Telephone:
Toll-free:
Fax:
Web site:
E-mail:
1 (613) 995-8210
1 800 282-1376
1 (613) 947-6850
www.privcom.gc.ca
[email protected]
Please note that this brochure summarizes the law.
As such, it has no legal status.To obtain the full text of
the law, consult our Web site or contact the Office of the
Privacy Commissioner of Canada.
Cette publication est disponible également en français.
February 2001
Office of the
of Canada
Commissariat
à la protection de
la vie privée du Canada
A GUIDE FOR BUSINESSES AND ORGANIZATIONS
Your Privacy
Responsibilities
Canada’s Personal
privacy
A Guide for Businesses
and Organizations
Your Privacy
Responsibilities
Canada’s Personal
privacy
About This Guide
This guide helps businesses understand and meet their new obligations under Part 1 of the
Personal Information Protection and Electronic Documents Act. *
The Act sets out ground rules for the management of personal information in the private sector.
It balances an individual’s right to the privacy of personal information with the need of
organizations to collect, use or disclose personal information for legitimate business purposes.
The Act establishes the Privacy Commissioner of Canada as the ombudsman for complaints under
the new law.The Commissioner seeks whenever possible to solve problems through voluntary
compliance, rather than heavy-handed enforcement.The Commissioner investigates complaints,
conducts audits, promotes awareness of and undertakes research about privacy matters.The
Commissioner is also the ombudsman for complaints under the Privacy Act, which covers the
federal public sector.
Part 1 of the Act comes into force in three phases, beginning January 1, 2001.
For more information, contact:
The Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario K1A 1H3
Telephone: 1 (613) 995-8210
Toll-free: 1 800 282-1376
Fax: 1 (613) 947-6850
Web site: www.privcom.gc.ca
E-mail: [email protected]
While prepared with care to ensure accuracy and completeness, this guide has no legal status.
For the official text of the new law, consult our Web site at www.privcom.gc.ca or call the Office
of the Privacy Commissioner.
IP34-7/2000
ISBN: 0-662-65406-4
December 2000
* This guide deals only with Part 1 of the Act. All references to the Act in this document refer only to Part 1. Parts 2 to 5 of the Act concern the
use of electronic documents and signatures as legal alternatives to original documents and signatures. For information on these, contact
the Department of Justice.
b
Table of Contents
A Word from the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Act in Brief
....................................................................
i
1
Is Your Organization Subject to the Act? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What is Not Covered by the Act? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Your Responsibilities Under the Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Be accountable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identify the purpose of data collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtain consent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limit collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limit use, disclosure and retention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Be accurate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use appropriate safeguards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Be open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Give individuals access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Provide recourse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exceptions to the Consent and Access Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Role of the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Complaints to the Privacy Commissioner of Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Applications to the Federal Court . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Audits of Personal Information Management Practices . . . . . . . . . . . . . . . . . . . . . . . . . .
Privacy Questionnaire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
4
5
7
8
9
10
11
12
13
14
15
16
17
19
21
23
25
27
c
A Word from the Privacy
George Radwanski
T
he passage of the Personal Information Protection and Electronic Documents Act
marks a significant step forward for Canada, putting it in the forefront of those nations
embracing technological progress and electronic commerce while still protecting
and enhancing long-cherished fundamental rights.
That Canadians are concerned about privacy, that they are enthusiastic about the new economy but cautious about their personal information, is old news.What businesses may find to
be real news is that they themselves can benefit from observing the privacy principles and
fair information practices set out in the Personal Information Protection and Electronic
Documents Act.What the Act is really about is good information management practices, and
every organization benefits from those.We’ve prepared this guide to help businesses appreciate what’s required of them under the Act, and to help them get the full benefit of adopting
the fair information practices that are the heart of the Act.
The Act is not unfailingly simple and straightforward – it is legislation, after all – though
the principles it sets out are plain enough.The Canadian Standards Association’s Model Code
for the Protection of Personal Information, which was developed by business in its own
consultative process, is incorporated into the Act as an appendix (or, in the words of the
legislative drafters, a Schedule). Reading the Act requires some jumping back and forth
between the text of the statute proper and the text of the appended Code.
i
I think the Act reflects the process of its creation, the hammering out of a consensus between
business professionals, consumer advocates, and public policy experts. I also think businesses
will find any inconveniences of the Act’s structure a small price to pay for a system of regulation that reflects their input, their needs, the realities of their various ways of doing business.
I’m hopeful that, for most businesses, the administration of the Act will feel more like selfregulation than government regulation. And, again, the privacy principles and fair information
practices set out in the Act are not difficult to understand: they are good business practice,
and they make good sense.
As you read the guide, you’ll note the role played by my office: primarily a privacy
ombudsman, determined to get to the bottom of problems and find solutions that work
well for all parties. I take that role very seriously, and I want you to be assured that our oversight role includes giving help and advice to businesses searching for better ways to protect
privacy. I’m looking forward to a vigorous, respectful relationship with business as we move
into this new era of privacy protection.We all have a challenge, we all have much to learn –
and we all have a great deal to gain.
This guide to the legislation is the work of many people and many months. I want to express
my appreciation to the numerous private sector organizations that have donated their time
and expertise to reviewing the guide at various stages of its development.Your advice and
comments have been unfailingly thoughtful and practical.
I look forward to continuing this co-operative relationship as we work together to protect
Canadians’ right to privacy in the months and years ahead.
George Radwanski
ii
The Act in Brief
O
rganizations covered by the Act
must obtain an individual’s consent
when they collect, use or disclose the
individual’s personal information.The individual has a right to access personal information held by an organization and
to challenge its accuracy, if need be. Personal
information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose,
consent must be obtained again. Individuals
should also be assured that their information
will be protected by specific safeguards,
including measures such as locked cabinets,
computer passwords or encryption.
Personal information
Personal information includes any factual or
subjective information, recorded or not,
about an identifiable individual.This
includes information in any form, such as:
■
age, name, ID numbers, income, ethnic
origin, or blood type
■
opinions, evaluations, comments, social
status, or disciplinary actions
■
employee files, credit records, loan
records, medical records, existence of a
dispute between a consumer and a
merchant, intentions (for example, to
acquire goods or services, or change jobs).
Personal information does not include the
name, title or business address or telephone
number of an employee of an organization.
Complaints
An individual may complain to the
organization in question or to the Privacy
Commissioner of Canada about any alleged
breaches of the law.The Commissioner may
also initiate a complaint.
Application to the
Federal Court
After receiving the Commissioner’s investigation report, a complainant may apply to
the Federal Court for a hearing under certain
conditions as set out in Section 14 of the Act.
The Privacy Commissioner of Canada may
also apply to the Court on his own or on the
complainant’s behalf.The Court may order
an organization to change its practices
and/or award damages to a complainant,
including damages for humiliation suffered.
Audits
The Commissioner may, with reasonable
grounds, audit the personal information
management practices of an organization.
Whistleblowing
Anyone who believes that any of Sections
5 to 10 of the Act have been or are about
to be contravened may notify the
Commissioner, and ask that his or her
identity be kept confidential. Once the
Commissioner has given his assurance,
he is bound to protect the person’s identity.
1
Y O U R P R I VA C Y R E S P O N S I B I L I T I E S – A G U I D E T O C A N A D A’ S P E R S O N A L I N F O R M AT I O N P R O T E C T I O N A N D E L E C T R O N I C D O C U M E N T S A C T
or who refuses to contravene Sections
5 to 10 of the Act
Offences
It is an offence to:
■
destroy personal information that an
individual has requested
■
retaliate against an employee who has
complained to the Commissioner
■
obstruct a complaint investigation or
an audit by the Commissioner or his
delegate.
A person is liable to a fine of up to $10,000
on summary conviction or up to $100,000
for an indictable offence.
DEFINITIONS
Federal work, undertaking or business
Includes “any work, undertaking or business that is under the legislative authority of Parliament”. While most
federally regulated organizations would be captured under this definition, not all these types of organizations
are federal works. For instance, insurance companies and credit unions may be subject to some federal regulation,
but are considered to be within provincial jurisdiction under the Constitution and are not federal works for the
purposes of the Act. The Act defines some of the specific federal works subject to Part 1 as follows:
■ inter-provincial or international transportation by land or water
■ airports, aircraft or airlines
■ telecommunications
■ radio and television broadcasting
■ banks
■ grain elevators
■ nuclear facilities
■ offshore drilling operations.
Note that this is not an exhaustive list of “federal works, undertakings and businesses”. The fact that your company is
federally incorporated does not necessarily mean that it is a federal work, undertaking or business. If your company
is subject to any part of the Canada Labour Code, it is probably a federal work, undertaking or business.
Commercial activity
Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character,
including the selling, bartering or leasing of donor,membership or other fund-raising lists.
Organization
An organization includes an association, a partnership, a person or a trade union.
Consent
Voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference
on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred
from the action or inaction of the individual.
Disclosure
Making personal information available to others outside the organization.
Use
Refers to the treatment and handling of personal information within an organization.
2
Is Your Organization
Subject to the Act?
The Act affects organizations
in three stages:
January 1,2001
In its first stage, the Act applies to personal
information (except personal health information) that is collected, used or disclosed
in the course of commercial activities by
federal works, undertakings and businesses.
This includes, but is not limited to, federallyregulated organizations such as banks,
telecommunications and transportation
companies.
At this stage the Act also applies to
personal data that is collected, used or
disclosed by these same organizations
about their employees.
In addition, at this stage the Act applies
to disclosures of personal information for
consideration across provincial or national
borders, by organizations such as credit
reporting agencies or organizations that
lease, sell or exchange mailing lists or other
personal information.The information itself
must be the subject of the transaction and
the consideration is for the information.
January 1,2004
The Act extends to the collection, use or disclosure of personal information in the course
of any commercial activity within a province.
However, the federal government may
exempt organizations and/or activities in
provinces that have adopted substantially
similar privacy legislation.
The Act will also apply to all personal
information in all interprovincial and international transactions by all organizations
subject to the Act in the course of their
commercial activities.
Quebec is the only province that currently
has legislation dealing with personal information in the private sector.The federal
government has stated that this legislation
meets the test of “substantially similar”and
that organizations and activities subject to
the Quebec legislation will be exempted
from the federal act for intraprovincial
matters.
Other provinces and territories are considering private sector legislation.
January 1,2002
The Act extends to personal health information for the organizations and activities
covered in the first stage. Personal health
information is defined as information about
an individual’s mental or physical health,
including information concerning health
services provided and information about
tests and examinations.
3
A QUICK TEST
Is your organization a federal work, undertaking or business
that collects, uses or discloses personal information in the
course of a commercial activity?
If YES, you are subject to the Act as of January 1, 2001. It also
applies to your employees’ personal information as well as
your customers’.
If NO:
Do you disclose personal information outside the province for
consideration? In other words, is personal information the
subject of the transaction?
If YES, that disclosure is subject to the Act beginning
January 1, 2001.
4
What is Not Covered
by the Act?
■
The collection, use or disclosure of personal information by federal government
organizations listed under the Privacy Act.
■
Provincial or territorial governments and
their agents.
■
An employee’s name, title, business
address or telephone number.
■
An individual’s collection, use or disclosure of personal information strictly for
personal purposes (e.g. personal greeting
card list).
■
An organization’s collection, use or disclosure of personal information solely for
journalistic, artistic or literary purposes.
Your Responsibilities
Under the Act
P
rivate sector organizations must follow
a code for the protection of personal
information, which is included in the
Act as Schedule 1.
The code was developed by business,
consumers, academics and government
under the auspices of the Canadian
Standards Association. It lists 10 principles
of fair information practices, which form
ground rules for the collection, use and
disclosure of personal information.These
principles give individuals control over how
their personal information is handled in the
private sector.
An organization is responsible for the
protection of personal information and the
fair handling of it at all times, throughout the
organization and in dealings with third parties. Care in collecting, using and disclosing
personal information is essential to continued
consumer confidence and good will.
These principles must be read in conjunction with key sections of the Act, particularly
including:
The 10 principles that businesses must
follow are:
1. Accountability
■
recognizes individuals’ right to privacy of
their personal information
■
recognizes the need of organizations to
collect, use or disclose personal information for legitimate business purposes
■
establishes rules for handling personal
information.
Sections 2 to 10 of the Act
Schedule 1 must be read in conjunction with
Sections 2 to 10 of the Act. It is essential to
carefully consider the obligations set out in
these sections, along with the 10 principles.
Section 2
■
Provides definitions including commercial
activity, federal work, undertaking or business, personal information, personal
health information and organization.
■
Specifies that the notes under clauses
4.3 and 4.9 of Schedule 1 are not part of
the law.
Section 3
Defines the purpose of the Act:
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure and retention
6. Accuracy
Section 4
7. Safeguards
Defines the scope of the Act’s application:
8. Openness
■
9. Individual access
10. Provide recourse
covers all organizations that collect, use or
disclose personal information in the
course of commercial activities
5
■
includes the personal information of an
employee of a federal work, undertaking
or business but not the personal information of other private sector employees.
Section 5
■
Stipulates that every organization must
comply with the obligations of Schedule 1.
■
Indicates what is not covered by the Act.
■
In the Schedule:
“shall”means an obligation
“should”means a recommendation,
not an obligation.
■
Specifies the circumstances when personal
information may be collected, used or disclosed without the individual’s consent.
Section 8
■
Sets out procedures for individuals to
make requests for personal information
and corrections to that information.
Section 9
■
■
Limits the collection, use and disclosure
to purposes that a reasonable person
would consider appropriate in the
circumstances.The reasonable person’s
perspective must be taken into account
when applying any aspect of Part 1 of
the Act.
Establishes that identifying an individual
to be accountable for compliance does
not mean that the organization is not
responsible for its obligations as set out in
Schedule 1.
THE REASONABLE PERSON
Section 5 of the Act limits the collection, use and disclosure for
purposes that a “reasonable person”would consider appropriate
in the circumstances.
Examples:
■ Would a customer renting a movie from a video store consider
it reasonable to be required to provide a telephone number?
An address? A Social Insurance Number?
■ Would a customer paying cash for a product or service
consider it reasonable to be asked for a name, address and
phone number?
6
■
■
Section 6
■
Section 7
Explains when access to personal
information may be refused.
Section 10
■
Defines an organization’s obligation to
provide personal information in an alternative format (e.g. Braille, large print or
audio tape) to a person with a sensory
disability.
Fair Information Principles
The following section sets out the responsibilities for each of the 10 fair information
principles of Schedule 1. It outlines how
to fulfil these responsibilities and offers
some tips.
YO U R R E S P O N S I B I L I T I E S U N D E R T H E AC T
1. Be accountable
Your responsibilities
■
Comply with all 10 of the principles of
Schedule 1.
■
Appoint an individual (or individuals) to
be responsible for your organization’s
compliance.
■
Protect all personal information held by
your organization or transferred to a third
party for processing.
■
Develop and implement personal information policies and practices.
■
■
process access requests
respond to inquiries and complaints
■
Include a privacy protection clause in
contracts to guarantee that the third
party provides the same level of protection as your organization does.
■
Inform and train staff on privacy policies
and procedures.
■
Make information available explaining
these policies and procedures to
customers (e.g. in brochures and on
Web sites).
How to fulfil these responsibilities
■
Give your designated privacy official senior management support and the authority to intervene on privacy issues relating
to any of your organization’s operations.
■
Communicate the name or title of this
individual internally and externally (e.g.
on Web sites and in publications).
■
Analyze all personal information handling
practices including ongoing activities and
new initiatives, using the following checklist to ensure that they meet fair information practices:
What personal information do
we collect?
Why do we collect it?
How do we collect it?
What do we use it for?
Where do we keep it?
How is it secured?
Who has access to or uses it?
To whom is it disclosed?
When is it disposed of?
■
■
■
■
■
■
■
■
■
■
Develop and implement policies and procedures to protect personal information:
define the purposes of its collection
obtain consent
limit its collection, use and disclosure
ensure information is correct, complete
and current
ensure adequate security measures
develop or update a retention and
destruction timetable
■
■
■
■
■
TIPS
Train your front-line and management staff and keep them
informed, so they can answer the following questions:
■ How do I respond to public inquiries regarding our organization’s privacy policies?
■ What is consent? When and how is it to be obtained?
■ How do I recognize and process requests for access to
■ To whom should I refer complaints about privacy matters?
■ What are my privacy protections and rights? (This applies to
employees in federally regulated organizations.)
■ What are the ongoing activities and new initiatives relating to
the protection of personal information at our organization?
When transferring personal information to third parties,
ensure that they:
■ Name a person to handle all privacy aspects of the contract.
■ Limit use of the personal information to the purposes specified
to fulfil the contract.
■ Limit disclosure of the information to what is authorized by your
organization or required by law.
■ Refer any people looking for access to their personal information to your organization.
■ Return or dispose of the transferred information upon
completion of the contract.
■ Use appropriate security measures to protect the personal
information.
■ Allow your organization to audit the third party’s compliance
with the contract as necessary.
■
7
2. Identify the purpose
Your organization must identify the reasons
for collecting personal information before or
at the time of collection.
■
Review your personal information holdings to ensure they are all required for a
specific purpose.
■
Notify the individual, either orally or in
writing, of these purposes.
■
Record all identified purposes and
obtained consents for easy reference in
case an individual requests an account
of such information.
■
Ensure that these purposes are limited to
what a reasonable person would expect
under the circumstances.
■
Before or when any personal information
is collected, identify why it is needed and
how it will be used.
■
Document why the information is
collected.
■
Inform the individual from whom the
information is collected why it is needed.
■
Identify any new purpose for the information and obtain the individual’s consent
before using it.
G R A N D F AT H E R I N G
TIPS
■
■
■
Define your purposes for collecting data as clearly and narrowly
as possible so the individual can understand how the information will be used or disclosed.
Avoid overly broad purposes as they may conflict with the
knowledge and consent principle.
Examples of purposes include:
opening an account
verifying creditworthiness
providing benefits to employees
processing a magazine subscription
sending out association membership information
guaranteeing a travel reservation
identifying customer preferences
establishing customer eligibility for special offers
or discounts.
■
■
■
■
■
■
■
■
8
Personal information that your company
has collected during the course of its
commercial activities is subject to the Act.
Since it has already been collected, you
don’t need to recollect it. However, in
order to continue to use or disclose this
information, you now require consent.
Some organizations have informed all
their customers what they do with their
information, to whom it is disclosed and
given customers the option to object to
these ongoing uses or disclosures.
3. Obtain consent
■
■
Inform the individual in a meaningful way
of the purposes for the collection, use or
disclosure of personal data.
Obtain the individual’s consent before or
at the time of collection, as well as when a
new use is identified.
How to fulfil these responsibilities*
■
Obtain consent from the individual
whose personal information is collected,
used or disclosed.
TIPS
■
■
■
■
■
■
■
Communicate in a manner that is clear
and can be reasonably understood.
■
Record the consent received (e.g. note to
file, copy of e-mail, copy of checkoff box).
■
Never obtain consent by deceptive
means.
■
■
Do not make consent a condition for
supplying a product or a service, unless
the information requested is required
to fulfil an explicitly specified and
legitimate purpose.
■
■
Explain to individuals the implications
of withdrawing their consent.
■
Ensure that employees collecting
personal information are able to answer
an individual’s questions about the
purposes of the collection.
* There are some exceptions to the principle of obtaining consent.
See page 17 of this guide.
Consent is normally obtained from the individual whose
personal information is collected, used or disclosed.
For an individual who is a minor, seriously ill, or mentally
incapacitated, consent may be obtained from a legal guardian,
or person having power of attorney.
Consent is only meaningful if the individuals understand how
their information will be used.
Consent clauses should:
be easy to find
use clear and straightforward language
not use blanket categories for purposes, uses
and disclosures
be specific as possible about which organizations
handle the information.
Consent can be obtained in person, by phone, by mail, via
the Internet etc.
The form of consent should take into consideration:
reasonable expectations of the individual
circumstances surrounding the collection
sensitivity of the information involved.
Express consent should be used whenever possible and in all
cases when the personal information is considered sensitive.
Relying on express consent protects both the individual and
the organization.
■
■
■
■
■
■
9
4. Limit collection
■
Do not collect personal information
indiscriminately.
■
Do not deceive or mislead individuals
about the reasons for collecting personal
information.
TIPS
■
■
10
By reducing the amount of information gathered, you can
lower the cost of collecting, storing, retaining and ultimately
archiving data.
Collecting less information also reduces the risk of inappropriate
uses and disclosures.
■
Limit the amount and type of the information gathered to what is necessary
for the identified purposes.
■
Identify the kind of personal information
you collect in your information-handling
policies and practices.
■
Ensure that staff members can explain
why the information is needed.
5. Limit use,disclosure and retention
■
Use or disclose personal information only
for the purpose for which it was collected,
unless the individual consents, or the use
or disclosure is authorized by the Act.
■
Keep personal information only as long as
necessary to satisfy the purposes.
■
Put guidelines and procedures in place
for retaining and destroying personal
information.
■
Keep personal information used to make
a decision about a person for a reasonable time period.This should allow the
person to obtain the information after the
decision and pursue redress.
■
Destroy, erase or render anonymous information that is no longer required for an
identified purpose or a legal requirement.
■
Document any new purpose for the use
of personal information.
■
Institute maximum and minimum retention periods that take into account any
legal requirements or restrictions and
redress mechanisms.
■
Dispose of information that does not
have a specific purpose or that no longer
fulfils its intended purpose.
■
Dispose of personal information in a way
that prevents improper access. Shredding
paper files or deleting electronic records
are ideal.
■
Establish policies setting out the types of
information that need to be updated. An
organization can reasonably expect an
individual to provide updated information in certain circumstances (e.g. change
of address for a magazine subscription).
TIPS
■
■
It may be less onerous and complicated to destroy or erase
information than to make personal information anonymous.
Conduct regular reviews to help determine whether information
is still required. Establish a retention schedule to make
this easier.
11
6. Be accurate
■
Minimize the possibility of using incorrect
information when making a decision
about the individual or when disclosing
information to third parties.
TIPS
■
■
One way to determine if information needs to be updated is to
ask whether the use or disclosure of out of date or incomplete
information would harm the individual.
Apply the following checklist for accuracy:
List specific items of personal information required to provide
a service.
List the location where all related personal information can
be retrieved.
Record the date when the personal information was obtained
or updated.
Record the steps taken to verify accuracy, completeness and
timeliness of the information.This may require reviewing your
records or communicating with the client.
■
■
■
■
12
■
Keep personal information as accurate,
complete and up to date as necessary,
taking into account its use and the interests of the individual.
■
Update personal information only when
necessary to fulfil the specified purposes.
■
Keep frequently used information accurate and up to date unless there are
clearly set out limits to this requirement.
7. Use appropriate safeguards
■
Protect personal information against loss
or theft.
■
Safeguard the information from unauthorized access, disclosure, copying, use or
modification.
■
Protect personal information regardless
of the format in which it is held.
■
Make your employees aware of the
importance of maintaining the security
and confidentiality of personal
information.
■
Ensure staff awareness by holding regular
staff training on security safeguards.
■
The following factors should be considered
in selecting appropriate safeguards:
sensitivity of the information
amount of information
extent of distribution
format of the information (electronic,
paper, etc.)
type of storage.
■
■
■
■
■
Develop and implement a security policy
to protect personal information.
Use appropriate security safeguards
to provide necessary protection:
physical measures (locked filing
cabinets, restricting access to offices,
alarm systems)
technological tools (passwords, encryption, firewalls, anonymizing software)
organizational controls (security
clearances, limiting access on a
“need-to-know”basis, staff training,
agreements).
■
■
■
■
Review and update security measures
regularly.
■
TIPS
■
■
■
Make sure personal information that has no relevance to the
transaction is either removed or masked when providing copies
of information to others.
Keep sensitive information files in a secure area or computer
system and limit access to individuals on a “need-to-know”
basis only.
13
8. Be open
■
■
Inform customers, clients and employees
that you have policies and practices
for the management of personal
information.
Make these policies and practices understandable and easily available.
■
Ensure front-line staff is familiar with the
procedures for responding to individual
inquiries.
■
Make the following available:
name or title and address of the person
who is accountable for your organization’s privacy policies and practices
name or title and address of the person
to whom access requests should be sent
how an individual can gain access to his
or her personal information
how an individual can complain to your
organization
brochures or other information that
explain your organization’s policies,
standards or codes
a description of what personal information is made available to other organizations (including subsidiaries) and why it
is disclosed.
■
■
■
■
■
■
TIPS
Information about these policies and practices may be made
available in person, in writing, by telephone, in publications or on
your organization’s Web site.
14
9. Give individuals access
■
When requested, inform individuals if
you have any personal information
about them.
■
Explain how it is or has been used and
provide a list of any organizations to
which it has been disclosed.
■
Give individuals access to their
information.
■
Correct or amend any personal information if its accuracy and completeness is
challenged and found to be deficient.
■
■
Provide a copy of the information
requested, or reasons for not providing
access, subject to exceptions set out in
Section 9 of the Act (see page 18).
An organization should note any
disagreement on the file and advise
third parties where appropriate.
■
■
If your organization extends the time,
you must notify the individual making
the request within 30 days of receiving
the request, and of his or her right to
complain to the Privacy Commissioner
of Canada.
■
Give access at minimal or no cost to
the individual.
■
Notify the individual of the approximate
costs before processing the request.
■
Give individuals access to their personal
information.
■
Make sure the requested information
is understandable. Explain acronyms,
abbreviations and codes.
■
Send any information that has been
amended, where appropriate, to any
third parties that have access to the
information.
■
Inform the individual in writing when
refusing to give access, setting out the
reasons and any recourse available.
■
There are some exceptions to the principle of providing access (see page 18 of
this guide).
■
■
Provide any help the individual needs to
prepare a request for access to personal
information.
Your organization may ask the individual
to supply enough information to enable
you to account for the existence, use and
disclosure of personal information.
■
Respond to the request as quickly as
possible and no later than 30 days after
receipt of the request.
■
The normal 30-day response time limit
can be extended for a maximum of 30
additional days, according to specific
criteria set out at Subsection 8(4) of
the Act:
if responding to the request within
the original 30 days would unreasonably interfere with activities of your
organization
if additional time is necessary to
conduct consultations
if additional time is necessary to
convert personal information to an
alternate format.
TIPS
■
■
■
Keep personal information about individuals in one place to
make retrieval easier. Or record where all such information can
be found. Never disclose personal information unless you are
sure of the identity of the requestor and that person’s right
of access.
If you do not store all personal information in one place, keep
a record of where the information can be found to make
retrieval easier.
■
15
10. Provide recourse
■
■
Develop simple and easily accessible
complaint procedures.
Inform complainants of avenues of
recourse.These include your organization’s own complaint procedures, those
of industry associations, regulatory bodies
and the Privacy Commissioner of Canada.
■
Investigate all complaints received.
■
Take appropriate measures to correct
information handling practices and
policies.
■
Acknowledge receipt of the complaint
promptly.
■
Contact the individual to clarify the
complaint, if necessary.
■
Assign the investigation to a person with
the skills necessary to conduct it fairly
and impartially.
■
Give the investigator access to all
relevant records, employees or others
who handled the personal information
or access request.
■
Notify individuals of the outcome of
investigations clearly and promptly,
informing them of any relevant steps
taken.
■
Correct any inaccurate personal information or modify policies and procedures
based on the outcome of complaints.
■
Record the date a complaint is received
and the nature of the complaint (e.g.
delays in responding to a request, incomplete or inaccurate responses, or
improper collection, use, disclosure or
retention).
TIPS
■
■
16
How well your organization handles an individual’s complaint
may help preserve or restore the individual’s confidence in your
organization.
Record all decisions to ensure consistency in applying the Act.
Exceptions to the Consent
and Access Principles
T
here are a number of exceptions to the requirements
to obtain consent and provide access set
out in the Act.
Exceptions to consent in Section 7
Organizations may collect personal information without the individual’s knowledge or
consent only:
■
if the use is clearly in the individual’s
interest and consent is not available in a
timely way
■
if it is clearly in the individual’s interests
and consent is not available in a timely way
■
■
if knowledge and consent would compromise the availability or accuracy of the
information and collection is required to
investigate a breach of an agreement or
contravention of a federal or provincial law
if knowledge and consent would
compromise the availability or accuracy
of the information and collection was
required to investigate a breach of an
agreement or contravention of a federal
or provincial law.
■
for journalistic, artistic or literary purposes
■
if it is publicly available as specified in the
regulations.
Organizations may use personal information
without the individual’s knowledge or
consent only:
■
if the organization has reasonable
grounds to believe the information could
be useful when investigating a contravention of a federal, provincial or foreign
law and the information is used for that
investigation
■
for an emergency that threatens an
individual’s life, health or security
■
for statistical or scholarly study or
research (the organization must notify
the Privacy Commissioner of Canada
before using the information)
■
if it is publicly available as specified
in regulations
Organizations may disclose personal information without the individual’s knowledge
or consent only:
■
to a lawyer representing the organization
■
to collect a debt the individual owes to
the organization
■
to comply with a subpoena, a warrant or
an order made by a court or other body
with appropriate jurisdiction
■
to a government institution that has
requested the information, identified
its lawful authority, and indicates that
disclosure is for the purpose of enforcing,
carrying out an investigation, or gathering intelligence relating to any federal,
provincial or foreign law; or suspects
that the information relates to national
security or the conduct of international
affairs; or is for the purpose of administering any federal or provincial law
17
■
■
to an investigative body named in the
Regulations of the Act or government
institution on the organization’s initiative
when the organization believes the information concerns a breach of an agreement, or a contravention of a federal,
provincial, or foreign law, or suspects the
information relates to national security or
the conduct of international affairs
if made by an investigative body for the
purposes related to the investigation of a
breach of an agreement or a contravention of a federal or provincial law
■
in an emergency threatening an individual’s life, health, or security (the organization must inform the individual of the
disclosure)
■
for statistical, scholarly study or research
(the organization must notify the Privacy
Commissioner before disclosing the
information)
■
to an archival institution
■
20 years after the individual’s death or
100 years after the record was created
■
if it is publicly available as specified in the
regulations
■
if required by law.
Exceptions to access in Section 9
Organizations must refuse an individual
access to personal information:
■
■
if it would reveal personal information
about another individual* unless there is
consent or a life-threatening situation
if the organization has disclosed information to a government institution for law
enforcement or national security reasons.
Upon request, the government institution
may instruct the organization to refuse
access or not to reveal that the information has been released.The organization
must refuse the request and notify the
Privacy Commissioner of Canada.The
organization cannot inform the individual
of the disclosure to the government institution, or that the institution was notified
of the request, or that the Commissioner
was notified of the refusal.
* If this information can be removed, the organization must
release the remaining information.
18
Organizations may refuse access to personal
information if the information falls under
one of the following:
■
solicitor-client privilege
■
confidential commercial information*
■
disclosure could harm an individual’s life
or security*
■
it was collected without the individual’s
knowledge or consent to ensure its
availability and accuracy, and the collection was required to investigate a breach
of an agreement or contravention of a
federal or provincial law (the Privacy
Commissioner of Canada must be notified)
■
it was generated in the course of a formal
dispute resolution process.
Role of the Privacy Commissioner
of Canada
T
he Privacy Commissioner of Canada
has oversight of both the Privacy Act
and Part 1 of the Personal Information
Protection and Electronic Documents Act.
These acts protect personal information
according to internationally accepted fair
information principles and practices.
The Commissioner is an Officer of
Parliament, like the Auditor General of
Canada or the Chief Electoral Officer. As an
Officer of Parliament, the Commissioner
reports directly to the House of Commons
and to the Senate, not to the government
of the day.This independence ensures his
impartiality and open-mindedness in
exercising his role as an ombudsman for
privacy matters.The Commissioner makes
recommendations, not orders. However
there is provision to apply to the Federal
Court to review a case.
A privacy ombudsman
Nearly two decades of experience investigating complaints under the Privacy Act have
helped define the Privacy Commissioner’s
ombudsman role.The Privacy Commissioner
relies on the competence, knowledge and
impartiality of his staff to seek whenever
possible to resolve disputes through
investigation, persuasion, mediation and
conciliation. Ideally this approach to resolving disputes can be less intimidating to
complainants and less costly to business
than recourse to the courts.While the
Commissioner protects individual rights, he
is also an advocate for the fair information
principles that form the foundation of the
legislation.The Commissioner’s thorough
investigations and impartiality protect both
individual rights and the organization
against unfair accusations.
Specific responsibilities
under the Act
The Act makes the Commissioner responsible for ensuring compliance with the Act
and for promoting its purposes.
Compliance roles
The Commissioner has five main ways of
ensuring that organizations subject to the
Act adhere to its principles:
■
investigating complaints
■
mediating and conciliating complaints
■
auditing personal information management practices
■
publicly reporting abuses
■
seeking remedies in court.
(See Complaints to the Privacy
Commissioner of Canada, page 21 of
this guide, and Audits of Personal
Management Practices, page 25.)
19
Promoting the purposes
of the Act
The Commissioner promotes the purposes
of the Act in four ways:
■
education
■
research
■
reporting
■
consultation and agreements.
Education
The Commissioner’s education mandate
includes developing and conducting public
information programs to encourage and
promote understanding of privacy issues.
Research
The Act requires the Commissioner to
undertake and publish research about
protecting personal information so as to
increase knowledge and improve compliance with the Act’s fair information principles.The Commissioner may conduct
independent research on privacy issues
in conjunction with academic or other
researchers. He may also provide grants
and contributions for academic or other
research on privacy issues.
20
Reporting
The Commissioner may make public any
information about an organization’s
personal information management
practices, if he considers it in the public
interest. He reports annually to Parliament
on privacy issues including the extent to
which provinces have introduced similar
legislation.
Consultation and
agreements
The Commissioner may enter into agreements with provincial counterparts who
have similar powers and duties.These
consultations and agreements may cover
complaint mechanisms, research, and
developing model contracts for protecting
personal information.The Commissioner
will encourage organizations to develop
detailed policies and practices to comply
with Part 1 of the Act.
Complaints to the
of Canada
Types of complaints
A
n individual may complain to the
Commissioner about any matter
specified in Sections 5 to10 of the Act
or in the recommendations or obligations
set out in Schedule 1.This includes but is not
limited to allegations that an organization:
■
denies an individual access to personal
information
■
improperly collects, uses or discloses
■
refuses to correct inaccurate or incomplete information
■
fails to provide access to personal information in an alternative format to an
individual with a sensory disability
■
does not use appropriate safeguards to
protect personal information.
The Commissioner may initiate a complaint if there are reasonable grounds to
believe that an investigation of a matter
under Part 1 of the Act is warranted.
Time limits
There is no time limit for filing most types
of complaints.
The only exception is a complaint that
access to personal information has been
denied. In this case, the complaint must be
made within six months after the organization’s refusal to provide the information, or
after the expiry of the time limit for responding to the request (see page 15 of this guide
for more on the time limit to respond to a
request). However, the Commissioner
may extend the time limit for an access
complaint.
The Commissioner has one year from the
date of the complaint to prepare a report.
How does the Privacy
handle complaints?
As an ombudsman, the Commissioner
seeks to take a cooperative and conciliatory
approach to investigations whenever possible. He encourages the resolution of complaints through negotiation and persuasion.
Alternate dispute resolution methods such
as mediation and conciliation may be used
to settle matters at any stage of the investigation process. Although the Commissioner
has the power to summon witnesses, administer oaths and compel the production of
evidence, these means are only likely to
be used if voluntary cooperation is not
forthcoming.
At the outset of an investigation, the
Commissioner will notify the organization in
writing of the substance of the complaint
and will identify the investigator responsible
for the case.The organization may submit
representations to the Commissioner at any
time during the process.
The investigator assigned to the case will
contact the organization’s designated staff
member to indicate how he or she intends
to proceed with the investigation and, if
21
possible, which records need to be reviewed
and which staff members may be interviewed.The investigator may also indicate
whether on-site visits will be needed.
Investigators obtain information directly
from individuals familiar with the matter
under investigation.These interviews are
conducted in private. Investigators may also
require access to original documents.
Documents given to an investigator are
returned within 10 days of a request for their
return, but they may be asked for again if the
need arises.
Prior to finalizing the investigation, the
results are disclosed to the parties involved.
They may make additional representations if
they see fit.This also gives them the opportunity to resolve the matter before the complaint is finalized.
The investigator submits the results of the
investigation to the Commissioner along
with any representations.The Commissioner
will consider the case and issue a report to
the parties.The Commissioner can request
that an organization give the Commissioner,
within a specified time, notice of any action
taken or proposed to be taken to implement
report recommendations, or explain why no
action has or will be taken.The report
includes the results of the investigation, any
settlement reached by the parties, recommendations such as suggested changes in
information management practices, what
steps the organization has taken or will
take to address these recommendations
and, if applicable, notice of recourse to the
Federal Court.
A complaint may be disposed of in one of
the following three ways:
1. Not well founded
There is no evidence to lead the
Commissioner to conclude that the
organization violated the Act.
22
2. Well founded
The investigation revealed that the organization failed to respect a provision of the Act
and the complaint was not resolved.
3. Resolved
The investigation supports the complaint,
but the organization agrees to take corrective action to remedy the situation. For
example, the organization agrees to release
personal information previously denied.
The complaint may also be resolved if it
appears to be the result of miscommunication or misunderstanding. For example, an
organization misunderstood the request
and now agrees to release the personal
information sought by the complainant.
The complaint is also resolved if the
complainant is satisfied with the
Commissioner’s efforts and the results.
The Commissioner is not required to issue
an investigation report if:
■
the complainant has not pursued
alternate redress mechanisms that are
reasonably available
■
the case could be more appropriately
dealt with through other legislation
■
too much time has passed since the
matter that prompted the complaint
and reporting would serve no useful
purpose
■
the complaint is trivial, frivolous or
vexatious, or is made in bad faith.
Public disclosure
The Privacy Commissioner of Canada may
make public any information relating to the
personal information management practices
of an organization if the Commissioner considers that it is in the public interest to do so.
Applications to the
Federal Court
A
complainant may apply to the Federal Court for a hearing.The Privacy
Commissioner of Canada may apply on his own or on a complainant’s
behalf. Normally, an application must be made within 45 days of the
Commissioner’s report.
What Matters Can Be Heard
The Court will consider applications arising
from the complaint or any matter referred to
in the Commissioner’s report and that is
referred to in one of the following:
4.7
4.8
Under Schedule 1
4.1.3 Whether an organization has properly
exercised its responsibility for the
personal information in its possession
including information transferred to a
third party.
4.2 Whether an organization has properly
identified and documented the purposes for which personal information
is being collected, used or disclosed, at
or before the time of collection.
4.3.3 Whether an organization has refused
to provide a service to an individual
because the individual would not
consent to the collection, use or disclosure of more information than
necessary for the specified purpose.
4.4 Whether an organization has collected
more information than necessary
for the purposes or whether it was
collected by fair and lawful means.
4.6 Whether the information is accurate,
up-to-date and as complete as
necessary.
Whether an organization has taken
the necessary steps to safeguard the
information.
Whether an organization has made
specific information about its personal
information management policies
readily available to individuals.
Under Schedule 1 as modified by
Sections 5 to 10 of the Act
4.3
4.5
4.9
Whether personal information has
been collected, used or disclosed
without the knowledge or consent
of the individual, except where
permitted or required. (See page 17
of this guide.)
Whether an organization has used or
disclosed personal information for
purposes other than those for which it
was collected, without the consent of
the individual and in circumstances
not authorized by the Act. As well,
whether an organization has retained
the information long enough for a
complainant to exhaust his remedies
under the Act.
Whether an individual was wrongly
denied access to information about
himself except where permitted or
required. (See page 18 of this guide.)
23
Sections of the Act
5(3) Whether the information was collected,
used or disclosed only for purposes
that a reasonable person would consider appropriate.
8(6) Whether an individual has been
charged too much for access to information or was not notified in advance
of the cost.
8(7) Whether an organization has informed
the individual in writing of a refusal to
give access, has given the reasons for
the refusal and set out the appropriate
recourse available.
10 Whether an organization has failed to
grant access in an alternative format
to an individual with a sensory
disability.
Remedies available through Federal Court
The Federal Court may order an organization
to correct practices that do not comply with
Sections 5 to 10 of the Act.The Court may
also order an organization to publish a
notice of any action taken or proposed to
24
correct its practices.The Court can award
damages to a complainant, including
damages for humiliation.There is no
ceiling on monetary damages that the
Court may award.
Audits of Personal Information
Management Practices
T
he Act gives the Privacy Commissioner
of Canada the authority to audit an
organization’s personal information
management practices when he has reasonable grounds to believe the organization is
not fulfilling its obligations under Part 1 of
the Act or is not respecting the recommendations of Schedule 1.
What can lead to an audit?
The following are examples of circumstances
that may lead the Commissioner to audit the
personal information management practices
of an organization:
■
a group or series of complaints about a
particular organization’s practice(s)
■
information provided by an individual
under the whistleblower provision
■
an issue receiving media attention.
What to expect from an
audit by the Commissioner
In keeping with the Commissioner’s
ombudsman approach, privacy audits are
non-confrontational whenever possible
and can be useful for organizations wanting
to improve their personal information
handling practices.
The Commissioner will inform the organization in writing that an audit will be undertaken.The letter will specify the audit’s focus,
propose a reasonable time frame, and name
the officer delegated to conduct the audit.
Although the Commissioner has the
power to summon witnesses, administer
oaths and compel organizations to produce
evidence, audits are unlikely to be conducted on such a formal basis unless
voluntary cooperation is not forthcoming.
The officer will meet with the organization’s representative for a preliminary
discussion of the intent, purpose and scope
of the review.
When the officer requires access to any
of the organization’s premises, he or she will
satisfy security requirements.The officer
may interview any person in private on the
premises, examine records and obtain copies
or extracts of such records.The officer will
return any document within 10 days of a
request for their return but may ask for them
again if the need arises.
Once the audit is finished, the officer will
debrief the organization’s representative on
the findings.The officer will report the audit
findings to the Commissioner who will make
recommendations.The Commissioner will
send the report to the organization and may
ask to be kept informed of actions the
organization takes to correct problems.
The Commissioner may include the audit
report in his annual report or he may make
public the personal information management practices of an organization if he
considers it to be in the public interest
to do so.
25
Privacy Questionnaire
T
he following are some common sense
questions you can use to help your
organization implement the Personal
Information Protection and Electronic
Documents Act. The questionnaire may be
used along with the description of the Act in
this guide.
If you are unsure about whether or when
the Act applies to your organization, please
refer to page 3 of this guide.
Not all of the following questions will
apply to all organizations, as the Act applies
to a wide variety and size of organizations.
Consider each question along with your
organization’s current practices. Answering
“no”indicates areas that need to be
addressed or improved.
Accountability of
organization and staff
❏ Have you named a privacy officer who is
responsible for your organization’s overall
compliance with the Act?
❏ Is this responsibility shared with more
than one person?
❏ If these responsibilities are shared, have
they been clearly identified?
❏ Can your staff respond to internal and
external privacy questions on behalf of
the organization, or do they know who
should respond?
❏ Does your staff know who receives and
responds to:
❏ requests for personal information?
Personal information
holdings
❏ Do you know what personal
information is?
❏ Do you collect, use or disclose
personal information in your day-to-day
commercial activities?
❏ requests for correction?
❏ complaints from the public?
❏ Do your customers know whom
to contact:
❏ for general inquiries regarding their
❏ to request their personal information?
❏ Do you have an inventory of your
personal information holdings?
❏ to request corrections to their
❏ Do you know where personal information
is held (physical locations and files)?
❏ for complaints?
❏ Do you know in what format(s) the
personal information is kept (electronic,
paper, etc.)?
❏ Do you know who has access to personal
information in and outside your
organization?
❏ Is your privacy officer able to explain to
the public the steps and procedures for
requesting personal information and
filing complaints?
❏ Has your staff been trained on the Act?
❏ Will there be ongoing training?
27
❏ Is your staff able to explain the purposes
for the collection, use and disclosure of
personal information to customers in
easy to understand terms?
❏ Is your staff able to explain to customers
when and how they may withdraw consent and what the consequences, if any,
there are of such a withdrawal?
❏ Will you inform your employees of new
privacy issues raised by technological
changes, internal reviews, public complaints and decisions of the courts?
Information for customers
and employees
❏ Do you have documents that explain
your personal information practices and
procedures to your customers?
❏ Does this information include how to:
❏ obtain personal information?
❏ correct personal information?
❏ make an inquiry or complaint?
❏ Does this information describe personal
information that is:
❏ held by the organization and how it
is used?
❏ disclosed to subsidiaries and other
third parties?
❏ Do you have a privacy policy for your
Web site?
❏ Is your privacy policy prominent and easy
to find? Is it easily understandable?
❏ Do your application forms, questionnaires, survey forms, pamphlets and
brochures clearly state the purposes
for the collection, use or disclosure of
❏ Have you reviewed all your public
information material to ensure that
any sections concerning personal information are clear and understandable?
28
❏ Have you ensured that the public can
obtain this information easily and
without cost?
❏ Is this information reviewed regularly to
ensure that it is accurate, complete and
up to date?
❏ Does this information include the current
name or title of the person who is responsible for overseeing compliance with
the Act?
Limiting collection,use,
disclosure and retention
to identified purposes
❏ Have you identified the purposes for
collecting personal information?
❏ Are these purposes identified at or before
the time the information is collected?
❏ Do you collect only the personal information needed for identified purposes?
❏ Do you document the purposes for which
personal information is collected?
❏ If you gather and combine personal
information from more than one source,
do you ensure that the original purposes
have not changed?
❏ Have you developed a timetable for
retaining and disposing of personal
information?
❏ When you no longer require personal
information for the identified purposes
or it is no longer required by law, do you
destroy, erase or make it anonymous?
Consent
❏ Does your staff know that an individual’s
consent must be obtained before or at
the time they collect personal information?
❏ Does your staff know they must obtain an
individual’s consent before any new use
or new disclosure of the information?
P R I VA C Y Q U E S T I O N N A I R E
❏ Do you use express consent whenever
possible, and in all cases where the information is sensitive or the individual
would reasonably expect it?
❏ Is your consent statement worded clearly,
so that an individual can understand
the purpose of the collection, use or
disclosure?
❏ Do you make it clear to customers that
they need not provide personal information that is not essential to the purpose
of the collection, use or disclosure?
Safeguards
❏ Have you reviewed your physical, technological and organizational security
measures?
❏ Do they prevent improper access, modification, collection, use, disclosure and/or
disposal of personal information?
❏ Is personal information protected by
security safeguards that are appropriate
to the:
❏ sensitivity of the information?
❏ scale of distribution?
Third party transfers
❏ Do you use contracts to ensure the
protection of personal information transferred to a third party for processing?
❏ Does the contract limit the third party’s
use of information to purposes necessary
to fulfil the contract?
❏ Does the contract require the third party
to refer any requests for access or complaints about the information transferred
to you?
❏ format of the information?
❏ method of storage?
❏ Have you developed a “need-to-know”
test to limit access to personal information to what is necessary to perform
assigned functions?
❏ Has your staff been trained about security
practices to protect personal information?
For example, is staff aware that personal
information should not be left displayed
on their computer screens or desktops in
their absence?
❏ Does the contract specify how and when
a third party is to dispose of or return any
personal information it receives?
❏ Is your staff aware that they should
properly identify individuals and establish
their right to access the personal information before disclosing it?
Ensuring accuracy
❏ Do you have rules about who is permitted
to add, change or delete personal
information?
❏ Is personal information sufficiently accurate, complete and up to date to minimize
the possibility that your organization
might use inappropriate information?
❏ Does your organization document when
and how personal information is updated,
to ensure its accuracy?
❏ Do you ensure that personal information
received from a third party is accurate
and complete?
❏ Is there a records management system
that assigns user accounts, access rights
and security authorizations?
❏ Do you ensure that no unauthorized
parties may dispose of, obtain access to,
modify or destroy personal information?
29
Requests for access to
❏ Is your staff aware of the time limits the
law allows to respond to access requests?
❏ Can you retrieve personal information to
respond to individual access requests
with a minimal disruption to operations?
❏ Can an individual easily find out how to
file a complaint with you?
❏ Do you deal with complaints in a timely
fashion?
❏ Do you investigate all complaints
received?
❏ Do your information systems facilitate
the retrieval and accurate reporting of
an individual’s personal information,
including disclosures to third party
organizations?
❏ Are your customer assistance and other
front-line staff able to distinguish a
complaint under the law from a general
inquiry? If unsure, do they discuss this
with the individual?
❏ Do you provide personal information to
the individual at minimal or no cost?
❏ Do you advise individuals about all available avenues of complaint, including the
Privacy Commissioner of Canada?
❏ Do you advise requesters of costs, if any,
before personal information is retrieved?
❏ Do you record an individual’s response to
being notified of the cost of retrieving
❏ Do you provide personal information in a
form that is generally understandable? (For
example, do you explain abbreviations?)
❏ Does your organization have procedures
for responding to requests for personal
information in an alternate format (such
as Braille or audiotapes)?
30
Handling complaints
❏ Are staff responses to public inquiries,
requests and complaints reviewed to
ensure they are handled fairly, accurately
and quickly?
❏ When a complaint is found to be justified,
do you take appropriate corrective measures, such as amending your policies and
advising staff of the outcome?

CREA Privacy Tool Kit

Transcription

Documents pareils

Request for Minor Medical Equipment and/or Medical Supplies

Computer Reseller News N° 161 - 23/06/2005

Politique de confidentialité F. Ménard s`assure de respecter le droit à

Sécurité des renseignements personnels et implications

Anouk Personal Trainer - Lausanne Palace et Spa

Téléchargement du dossier de candidature

DOSSIER DE CANDIDATURE APPLICATION FORM

DOSSIER DE CANDIDATURE APPLICATION FORM

Financer votre rêve

DOSSIER DE CANDIDATURE APPLICATION FORM