The Personal Information Protection and Electronic Documents Act

Federal privacy law restricts business use of client and employee information

For years the federal Privacy Act and the provincial Freedom of Information and Protection of Privacy Act have regulated government collection, use and disclosure of personal information. This year, for the first time, federally regulated commercial enterprises came under statutory restrictions on what they can do with customer and employee information, and similar restrictions will extend to other commercial enterprises on January 1, 2004 under the Personal Information Protection and Electronic Documents Act (the "Act").

This is a statute that lawyers need to be aware of, especially when advising organizations engaged in commercial activity.

The Act came into force on January 1, 2001. It currently applies to personal information about customers or employees that is collected, used or disclosed by "federal works, undertakings, or businesses" in the course of commercial activities. These include banks, telephone companies, and firms engaged in interprovincial transportation. The Act also currently applies to personal information that is shared or disclosed for profit of any kind across the borders of Canada or a province, and applies to all businesses and organizations engaged in commercial activity in any of the three territories.

Commencing January 1, 2004, however, the Act will also apply to the collection, use and disclosure of personal information by all organizations engaged in "commercial activities" (a phrase very broadly defined in the Act), even if those organizations are otherwise provincially regulated.

Lawyers who advise organizations engaging in commercial activities will need to be familiar with the Act. The Act generally prohibits organizations from collecting, using, or disclosing personal information without the consent of the person to whom the information belongs, subject to certain exceptions. These organizations must also adopt personal information policies that are clear, understandable and readily accessible. The manner in which organizations engaged in commercial activity obtain, use or disclose personal information about customers or employees is now regulated.

It is also worth noting that the Act prohibits organizations from refusing services to individuals who decline to provide the organization with personal information about themselves.

If an organization fails to comply with the Act, a complaint may be filed with the Privacy Commissioner, who is afforded broad powers. The Privacy Commissioner is responsible for ensuring that organizations collect, use or disclose personal information in a manner that is responsible and transparent. The Commissioner has the power to conduct an audit of any organization's information management practices at any reasonable time, on giving reasonable notice. In conducting the audit, the Commissioner can summon persons, administer oaths, receive evidence, enter the premises of an organization and examine or obtain copies of any records.

In handling complaints, the Commissioner acts as an "ombudsperson" and does not issue orders or penalties, but rather attempts to arrive at solutions through a process of negotiation. It is, however, a criminal offence to obstruct the Commissioner during an investigation or an audit.

The Commissioner can make recommendations to an organization to release personal information to the person to whom it belongs, to correct inaccuracies in the information or to change personal information management practices within the organization. The Commissioner has the power to make public any information about the personal information practices of an organization, and may take a complaint to the Federal Court of Canada if otherwise unable to resolve a dispute. In addition, if a complainant is dissatisfied with the outcome of the complaint or otherwise desires a hearing of the matter, the complainant may seek a hearing in Federal Court.

That court has jurisdiction to order organizations to correct practices that do not comply with the Act and to publish notices as to how the organization has corrected, or will correct, its information handling practices. The Federal Court is also given the jurisdiction to award damages to any complainant, including damages for humiliation that he or she has suffered.

A lawyer advising organizations governed by the Act will wish to ensure that such clients are aware of the powers of both the Commissioner and the Federal Court.

Insofar as they are engaged in "commercial activity," law firms themselves may expect to be subject to this legislation as of January 1, 2004.

The personal information of clients of the firm would generally be exempted under the provisions of the Act, and lawyers - of course - already have extensive professional obligations in dealing with any personal information of clients that is either privileged or confidential. With respect to personal information of employees or other non-client individuals with whom a law firm may be dealing, the firm ought to consider creating and implementing appropriate information management practices, and ensure that those practices are known, understood and followed.

Indeed, "national" law firms with offices in two or more provinces or territories may already be subject to the Act and ought to consider implementing information management practices, if they have not already done so.

The federal Cabinet may, by order, exempt an organization from the application of the Act with respect to the collection, use or disclosure of personal information within a particular province if the Cabinet is satisfied that the legislation of that province is substantially similar to Part 1 of the Act. However, even if an organization is exempted within a province, if that organization engages in commercial activity in an "extraprovincial" sense, it is likely that the Act would still apply.

*   *   *

More information with respect to the Act may be found on the Industry Canada website at or on the Privacy Commissioner's website at