Ontario - Data Protection Overview
1. Governing Texts
The Office of the Information and Privacy Commissioner of Ontario's ('OIPC') role is to ensure that Ontario public institutions and health information custodians abide by privacy laws and principles. The OIPC assists with resolving privacy complaints and has broader powers to investigate and research privacy and data protection issues. The OIPC also publishes guidance documents to promote compliance with Ontario's privacy laws.
In Ontario, public organisations are governed by the following access and privacy laws:
- the Freedom of Information and Protection of Privacy Act, RSO 1990 c F.31 ('FIPPA');
- the Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. M.56 ('MFIPPA');
- the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A ('PHIPA');
- Part X of the Child, Youth and Family Services Act, 2017, S.O. 2017, c. 14, Sched. 1 ('CYFSA'); and
- The Anti-Racism Act, 2017, S.O. 2017, c. 15.
These acts help to protect personal information and data held by Ontario public institutions. More information on these acts is found below.
There are five main statutes that the OIPC oversees:
- FIPPA and associated regulations protect the privacy of individuals with respect to personal information about themselves that is held by provincial institutions and provide individuals with a right of access to that information;
- the MFIPPA and associated regulations protect the privacy of individuals with respect to personal information about themselves that is held by municipal institutions and provide individuals with a right of access to that information;
- The PHIPA and the associated regulation establish rules for the collection, use, and disclosure of personal health information, provide individuals with a right to access their personal health information, and provide for independent review and resolution of complaints with respect to personal health information;
- Part X of the CYFSA and associated regulations establish rules to protect the privacy and confidentiality of personal information in the custody or control of service providers and to enable access to personal information; and
- The Anti-Racism Act authorises or requires select public sector organisations to collect and use personal information for the purposes of eliminating systemic racism and sets out privacy obligations to protect that personal information.
The Office of the Privacy Commissioner of Canada ('OPC') administers the two federal privacy statutes which are applicable in Ontario:
- Privacy Act, R.S.C., 1985, c. P-21 ('the Privacy Act'); and
- Personal Information Protection and Electronic Documents Act 2000 ('PIPEDA').
The Privacy Act and associated regulations apply to the Government of Ontario's ('the Government') collection, use, and disclosure of personal information while providing services such as old age security pensions, employment insurance, and tax collection and refunds. PIPEDA and associated regulations establish the rules for how private-sector organisations collect, use, and disclose personal information during for-profit, commercial activities across Canada.
On 17 June 2021, the Government released the Modernizing Privacy in Ontario white paper outlining its proposals on modernising Ontario's privacy regimes and enhancing the public's confidence in Ontario's digital economy. The white paper suggests that the proposed new legislation would be supplementary to the PHIPA. On 14 June 2022, the OIPC's current commissioner, Patricia Kosseim, reiterated the need for an Ontario private sector privacy law and updates to Ontario's existing privacy and access regime.
On 16 June 2022, the Government introduced Bill C-27, the Digital Charter Implementation Act, 2022. If passed, Bill C-27 would:
- enact the Consumer Privacy Protection Act ('CPPA') which would replace parts of PIPEDA that regulate the processing of personal information;
- enact the Personal Information and Data Protection Tribunal Act which establishes an administrative tribunal to hear appeals of certain decisions made under the CPPA and impose penalties for contravention of its provisions; and
- enact the Artificial Intelligence and Data Act which introduces rules to regulate high-impact artificial intelligence systems.
The focus of this summary will be on FIPPA, the MFIPPA, and PIPEDA, with more limited information on PHIPA, the CYFSA, and the Privacy Act.
The Ontario Personal Health Information Protection Act, 2004 ('PHIPA') and Ontario Regulation 329/04 under PHIPA ('the Regulation') apply to the healthcare sector and organisations who receive or process personal health information.
Both the OIPC and the OPC regularly publish guidance materials on their websites to inform organisations and the public about their rights and responsibilities under Ontario's and Canada's privacy laws.
1.3. Case law
The OIPC and OPC will, from time to time, publish reports related to their enforcement actions on their website. Such enforcement reports are complemented by case law in order to provide direction to organisations and individuals with respect to privacy compliance requirements.
A specific note to take into account is the Jones v. Tsige, 2012 ONCA 32 case under Canadian common law. In this case, the Ontario Court of Appeal ('the Court of Appeal') recognised a right of action for intrusion upon seclusion, which is essentially a common law tort of invasion of privacy. Both parties worked at different branches of the Bank of Montreal ('BMO'). Tsige, the defendant, became involved with Jones' former husband and Tsige used her workplace computer to access Jones' personal BMO accounts over 100 times in the span of four years. Jones became suspicious and reported Tsige to the BMO. Tsige has since apologised for her actions. Jones brought an action against Tsige for the tort of invasion of privacy.
The motion judge dismissed Jones' motion and Jones appealed to the Court of Appeal. The Court of Appeal reviewed Canadian and American common law and legislation and held that recognising a right of action for intrusion upon seclusion was appropriate. The main elements of such an action include whether:
- the defendant's conduct was intentional;
- the defendant must have invaded the plaintiff's private affairs or concerns without lawful justification; and
- a reasonable person would regard the invasion as highly offensive causing distress, humiliation, or anguish.
The Court of Appeal also fixed the range of damages for intrusion upon seclusion at up to CAD 20,000 (approx. €13,530).
The Court of Appeal found that Tsige committed the tort of intrusion upon seclusion as her actions satisfied the three elements of the action. In determining damages, the Court of Appeal considered the deliberateness of Tsige's actions balanced by the fact that Jones suffered no public embarrassment or financial harm and Tsige's apology for her conduct. The Court of Appeal fixed the damages award at CAD 10,000 (approx. €6,760).
The common law tort of intrusion upon seclusion established in Jones v. Tsige has been limited by the Court of Appeal to cases where the defendant itself has deliberately invaded the plaintiff's privacy.
On 25 November 2022, the Court of Appeal released a trio of decisions which held that the tort of intrusion upon seclusion is not an available cause of action against a defendant who failed to prevent a privacy breach from a third-party threat actor. Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, and Winder v. Marriott International, Inc., 2022 ONCA 815 were proposed class actions arising from cyberattacks to commercial defendants who collected and stored personal information.
In all three decisions, the plaintiffs pleaded the tort of intrusion upon seclusion in the context of third-party threat actors accessing or using the plaintiffs' personal information, which the commercial defendants had collected in the course of business. The plaintiffs alleged that under the tort of intrusion upon seclusion, the defendants were liable for failing to take adequate steps to protect the personal information from the threat actors.
The Court of Appeal relied on the test for certification as a class proceeding under section 5(1)(a) of the Ontario Class Proceedings Act, 1992 whereby a plaintiff must establish that the pleading discloses a cause of action.
After applying the section 5(1)(a) test, the Court of Appeal found that it was plain and obvious that the claim for intrusion upon seclusion could not succeed on the facts of the case since the 'intrusion' flowed from the threat actor's conduct in illegally accessing the stored information, rather than the defendant's alleged failure to protect the information. The Court of Appeal further stated that extending the tort of intrusion upon seclusion to circumstances involving a third party threat actor would be a 'giant step in a very different direction' since defendants would be liable for the intentional torts of third parties.
The Court of Appeal reiterated that victims of a data breach have other remedies in their toolkit, including suing the threat actors for breach of privacy, or pursuing a claim in contract, negligence, or statute against the defendant company that was subject to the data breach.
While the Court of Appeal's decision denied the extension of the tort of intrusion upon seclusion to data breaches by third party threat actors, victims of data breaches may soon be able to rely on a statutory cause of action for damages against companies that are subject to the proposed CPPA under Bill C-27.
2. Scope of Application
FIPPA applies to institutions. These are defined in Section 2(1) of FIPPA as the Legislative Assembly, a ministry of the Government, a service provider organisation under Section 17.1 of the Ministry of Government Services Act 1990, a hospital, and any other body designated as an institution in the regulations (including universities and colleges).
The MFIPPA applies to institutions. The municipality, a municipal board including but not limited to a city board, school board, transit commission, police services board, and any other body designated as an institution in the regulations (Section 2(1) of MFIPPA).
PHIPA applies to the collection of personal health information by a health information custodian ('HIC') and the use or disclosure of personal health information by a HIC or a person to whom a HIC disclosed the information. The HIC is defined to include a health care practitioner, a person who operates a hospital, long-term care home, retirement home, pharmacy, or home for special care, and the Minister of Health and Long-Term Care (Section 3 of PHIPA).
Part X of the CYFSA applies to service providers. In particular, the Minister of Children and Youth Services, a licensee under the CYFSA, is defined as a person or entity that provides a service funded under the Act, a prescribed person or entity, or a lead agency designated by the Minister (Sections 2(1) and 281 of CYFSA). Institutions subject to FIPPA or the MFIPPA (Section 285(2) of the CYFSA), and health information custodians subject to PHIPA are exempt from Part X of the CYFSA.
The Privacy Act applies to the Federal Government of Canada ('the Federal Government') institutions listed in Schedule 3.
PIPEDA applies to organisations including associations, partnerships, not-for-profit organisations, persons, and trade unions. Organisations captured under PIPEDA include those that collect, use, or disclose personal information during commercial activities. PIPEDA also applies to organisations that collect, use, or disclose personal information about an employee or an applicant for employment with the organisation in connection with the operation of a federal work, undertaking, or business (Sections 2 and 4 of PIPEDA). Essentially, PIPEDA applies to federally regulated organisations and private sector organisations operating in Ontario.
However, as Ontario has enacted PHIPA (which is substantially similar to PIPEDA), organisations subject to PHIPA are generally exempt from PIPEDA with respect to the collection, use, or disclosure of personal health information.
Generally, FIPPA and MFIPPA prevail over any other Ontario legislation (with a few exceptions). Other laws must expressly state that it prevails over FIPPA or MFIPPA.
The territorial scope of the laws mentioned in this note is Ontario, with PIPEDA also being applicable given that it is federal legislation.
Personal information means recorded information about an identifiable individual, including ethnicity, age, sex, marital status, education, employment history, identifying numbers, address, personal opinions, or criminal history (Section 2(1) of FIPPA and Section 2(1) of the MFIPPA). The personal information has the same meaning as it does in FIPPA (Section 2(1) of the CYFSA).
The personal health information means identifying information about an individual in oral or recorded form where such information is a plan of service or health number, identifies a health care provider or substitute decision-maker, is derived from the testing of bodily substances, or relates to either the individual's physical or mental condition, the provision of health care, eligibility for health care, or donation of body parts (Section 4 of PHIPA).
Under PIPEDA, personal information means information about an identifiable individual, whether factual or subjective, recorded or not, which includes age, name, identification numbers, ethnicity, social status, employee files, loan records, medical records, or evaluations (Section 2 of PIPEDA).
The personal information means information about a piece of identifiable information that is recorded in any form. Examples include race, religion, age, marital status, medical history, criminal history, address, fingerprints, or opinions (Section 3 of the Privacy Act).
3.1. Main regulator for data protection
The OIPC was established in 1987 under FIPPA to provide independent oversight of Ontario's access and privacy laws. The OIPC is an officer of the Legislature and is appointed by and reports to the Legislative Assembly of Ontario. The appointed OIPC is independent of the Government of the day.
The OPC was established in 1983 following the passing of the Privacy Act. The mission of the OPC is to protect and promote privacy rights, and the mandate of the OPC is to oversee compliance with the Privacy Act and PIPEDA. The OPC is independent of Government and reports directly to the Parliament of Canada ('the Federal Parliament').
3.2. Main powers, duties and responsibilities
Apart from overseeing Ontario's access and privacy laws, the OIPC also investigates privacy complaints related to personal information, ensures compliance with legislation, reviews privacy policies, and information management practices, and comments on proposed Government legislation.
The OPC carries out its mission to protect and promote the privacy rights of individuals by investigating complaints, conducting audits, pursuing court action under the federal privacy laws, publicly reporting on the personal information handling practices of public and private sector organisations, researching privacy issues, and promoting public awareness of privacy issues. The Economic and Fiscal Update Act of 2020 ('the Fiscal Act') was enacted on 25 March 2020 and amends PHIPA to add additional regulation-making power to the OPC, including a new power to inspect records of personal health information without consent by the OPC where the records may have been abandoned (Section 60 of PHIPA).
Individuals can make complaints to the organisation, which must investigate all complaints. Individuals are encouraged to resolve their complaints with the organisation directly first, but they can file a formal complaint with the OPC if the issue cannot be resolved. The complaint will be reviewed by the Investigations and Inquiries Branch of the OPC and recommend an outcome to the OIPC, who will make the ultimate decision.
4. Key Definitions
Data controller: Data controller and 'data user' are not explicitly defined in Ontario and federal statutes. Instead, FIPPA and the MFIPPA refer to 'institutions', PHIPA refers to 'health care custodians', and the CYFSA refers to 'service providers'. PIPEDA refers to 'organisations' and the Privacy Act refers to 'government institutions'.
See section on personal scope above for descriptions of these terms.
Data processor: Data processor is not explicitly defined in Ontario and federal statutes. Instead, FIPPA and the MFIPPA refer to 'institutions', PHIPA refers to 'health care custodians', and the CYFSA refers to 'service providers'. PIPEDA refers to 'organisations' and the Privacy Act refers to 'government institutions'.
See section on personal scope above for descriptions of these terms.
Personal data: 'Personal information' is defined slightly differently under Ontario and federal Canadian privacy laws, but generally means information about an identifiable individual (specified as recorded information in some statutes). Examples include race, ethnicity, age, sex, family status, criminal, or employment history, address, telephone numbers, and opinions of the individual.
See section on territorial scope above for additional details on each statute.
Pseudonymisation: 'Pseudonymisation' is not defined in Ontario and federal statutes. However, FIPPA contains provisions on data integration to allow sharing of information between Government and agencies and introduces the concept of de-identification, which is the process of removing information that identifies an individual and information that could be used, alone or with other information, to identify an individual based on what is reasonably foreseeable.
Health Number: 'Health number' means the number, the version code, or both assigned to an insured person within the meaning of the Health Insurance Act, RSO 1990, c. H.6 by the General Manager within the meaning of that Act (from PHIPA).
5. Legal Bases
Organisations under PIPEDA must obtain the knowledge and meaningful consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate to do the same. Some situations where consent might be inappropriate include legal, medical, or security reasons that make it impractical to seek consent, obtaining personal information for fraud or law enforcement purposes, or where the individual lacks mental capacity. Individuals under PIPEDA also have the right to access personal information held by an organisation, challenge its accuracy, and have it amended as appropriate.
To comply with identifying purposes requirements under PIPEDA, organisations are to identify and document why personal information is needed and notify individuals of the purposes for collection. Under the consent principle, organisations are to obtain the knowledge and consent of the individual for the collection, use, or disclosure of personal information, except where inappropriate to do the same. Under the limiting collection principle, organisations are not to collect personal information indiscriminately or deceive individuals about the reasons for collection.
Ontario's privacy legislation does not explicitly provide for the concept of a 'data controller'. Instead, the legislation governs how institutions and regulated entities can collect, use, and disclose personal information. Under FIPPA and the MFIPPA, no person can collect personal information on behalf of an institution unless the collection is expressly authorised by statute, used for law enforcement purposes, or necessary to the proper administration of a lawfully authorised activity.
Personal information must be collected directly from the individual, except in limited circumstances. The notice must be provided to individuals when personal information is collected on behalf of the institution, informing the individual of the legal authority for the collection, principal use for the information, and contact information of a public official who can answer the individual's questions about the collection.
Personal information that is collected under FIPPA and the MFIPPA can only be used or disclosed for the purposes for which it was collected, subject to certain circumstances, for example with the individual's consent, for the purpose of complying with other laws, and for compassionate circumstances. Institutions must ensure that personal information records are accurate and retain personal information for at least one year after its use, subject to certain exceptions. Institutions must also ensure the security and confidentiality of personal information records and the transfer and destruction of personal information must also meet security requirements.
Under PHIPA, HICs are generally required to obtain an individual's consent to collect, use, or disclose personal health information, unless PHIPA allows otherwise. A HIC must ensure that personal health information is accurate and protected against theft, loss, and unauthorised use and disclosure. In addition, HICs must ensure that records of personal health information are transferred and disposed of in a secure manner. Notably, the Fiscal Act creates a new obligation for HICs that use electronic means to collect, use, disclose, modify, retain, or dispose of personal health information to maintain, audit, and monitor an electronic audit log (Section 10.1 of PHIPA).
An amendment to subsection 52(1.1) of PHIPA now provides individuals with the right to access a record of personal health information in an electronic format that meets the prescribed requirements or a format that is specified in accordance with the regulations.
In addition, section 34 of PHIPA is also amended to allow prescribed persons, and health information custodians that are providing health care to a person, to collect or use the person's health number, with the person's consent, for certain verification and linking purposes. Section 39, is amended to permit the disclosure of personal health information for purposes related to the Immunization of School Pupils Act 2017.
Part X of the CYFSA requires service providers to have an individual's consent to collect, use, or disclose personal information unless otherwise authorised. Service providers must ensure that the personal information is accurate and take reasonable steps to protect personal information in their custody or control against theft, loss, or unauthorised collection, use, or disclosure.
Under PIPEDA, consent is not required if the collection and use of information is clearly in the interests of the individual and consent cannot be obtained in a timely way. This exemption, however, has limited application in practice as there is a paucity of guidance regarding the meaning of what is in the interests of the individual (except in situations involving threats to health or safety).
Under PIPEDA, consent is not required where it is reasonable to expect that the collection with the consent of the individual would compromise the availability of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of Canada's federal or provincial laws.
Further, consent is not required if the collection of the information is for the purpose of disclosing the information as required by law or made to a Government or Government institution that has identified its lawful authority and has indicated that it suspects the information relates to national security, the defence of Canada, or the conduct of international affairs.
Publicly available information
Regulations under PIPEDA provide that consent is not required for the collection, use, and disclosure of certain publicly available information, e.g., published information and court decisions, although some restrictions apply. In general terms, for the exemption to apply, the collection, use, or disclosure must be related to the purpose for which the information is publicly available.
Canadian privacy statutes governing the private sector generally allow for the collection, use, and disclosure of employee personal information without consent if solely for the purposes reasonably required to establish, manage, or terminate an employment relationship between the organisation and that individual.
While the statutes allow for the collection of personal information without consent within the bounds of reasonableness, they nonetheless require the employer to be transparent. Accordingly, organisations must generally notify employees that such data collection is occurring and explain the purpose(s) for the collection (such as employee safety).
In addition to the data protection statutes that can apply to employee personal information, workplace privacy issues have long been addressed in the labour and employment context by arbitrators and the courts. A significant body of law has been built up in that context in respect of privacy-based limitations on management rights, for example, drug and alcohol testing, workplace surveillance, and investigations.
A code that organisations must follow for the protection of personal information (Schedule 1 of PIPEDA).
The code consists of ten principles for the protection of personal information, which are as follows:
- identifying purposes;
- limiting collection;
- limiting use, disclosure, and retention;
- individual access; and
- challenging compliance.
7. Controller and Processor Obligations
Institutions under FIPPA, PHIPA, the MFIPPA, and the CYFSA are generally not required to notify the OIPC about their data collection, use, or disclosure activities. However, these acts also provide that those institutions, HICs, and service providers can seek permission from the OIPC to collect data indirectly from individuals (generally data must be collected directly).
Under PIPEDA, organisations also do not generally have a requirement to notify the OPC about the collection or use of personal information. However, organisations who wish to use personal information for statistical, scholarly study, or research purposes where it is impractical to obtain the consent of individuals must inform the OPC before the information is used (Section 7(2) of PIPEDA).
When an organisation transfers personal information to a third-party service provider who acts on behalf of the transferring organisation, the transferring organisation remains accountable for the protection of that personal information and ensuring compliance with the applicable legislation. In particular, the transferring organisation is responsible for ensuring that the third-party service provider appropriately safeguards the data and would also be required under the notice and openness/transparency provisions to reference the use of third-party service providers in and outside of Canada in their privacy policies and procedures.
There are different approaches to protecting personal information that is being transferred for processing. The EU Member States have passed laws prohibiting the transfer of personal information to another jurisdiction unless the European Commission has determined that the other jurisdiction offers 'adequate' protection for personal information.
In contrast to this state-to-state approach, Canada has, through PIPEDA, chosen an organisation-to-organisation approach that is not based on the concept of adequacy. PIPEDA does not prohibit organisations in Canada from transferring personal information to an organisation in another jurisdiction for processing.
However, under PIPEDA, organisations are held accountable for the protection of personal information transfers under each individual outsourcing arrangement. The OPC can investigate complaints and audit the personal information handling practices of organisations.
Privacy Impact Assessments ('PIA') have long been part of Canadian public sector privacy law. However, they have not been required under Canada's private sector privacy statutes and, as a result, may be unfamiliar to many Canadian businesses and other private organisations. Notably, there is a mandatory requirement to undertake a PIA if an organisation is classified as a health information network provider (Section 6(3) of the Regulation').
All health information network providers must conduct a PIA. A health information network provider is defined as a person (which includes organisations) who provides service to two or more health information custodians where the services are provided primarily to health information custodians to enable the health information custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians (Section 6(2) of the Regulation).
The Planning for Success: PIA Guide ('PIA Guide') and the PIA Guidelines for the PHIPA ('the PIA Guidelines') have templates for questionnaires that can be used when conducting a PIA, and outlines the information that should be included in a PIA. In addition, the IPC has issued worksheets to aid organisations in conducting PIAs.
The concept of a 'data protection officer' does not exist in Ontario legislation or Canadian federal legislation.
To comply with accountability requirements under PIPEDA, organisations are required to appoint an individual responsible for the organisation's compliance with PIPEDA and develop personal information policies and practices. Further, under the accountability principle, an organisation is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. However, a data controller is not explicitly defined in PIPEDA.
However, FIPPA and the MFIPPA use the term 'head', which refers to the official at an institution accountable and responsible for overseeing the administration of the privacy laws, ensuring compliance with the privacy laws, and making decisions regarding the privacy laws. Under FIPPA, the head of Ontario ministries is the Minister presiding over the ministry, the chair of the board of the hospital for public hospitals, the superintendent for private hospitals, and the person designated in the regulations for other institutions. Under the MFIPPA, institutions can designate a head by by-law or in writing as applicable. Under both FIPPA and the MFIPPA, the head of an institution can delegate its powers or duties to another officer of the institution in writing.
Furthermore, HICs under PHIPA that are not natural persons are to designate a contact person who will, among other things, facilitate the custodian's compliance with PHIPA, respond to public inquiries about the custodian's information practices, and respond to requests from individuals to access or correct personal health information.
Under the accountability principle in PIPEDA, organisations are to designate an individual to be accountable for the organisation's compliance with PIPEDA.
According to the OIPC, privacy breaches may occur when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with the legislation. Individuals may make complaints to the OIPC about privacy breaches. Institutions can also self-report privacy breaches and incidents to the OIPC, but it is not required under FIPPA or the MFIPPA. However, institutions are encouraged to alert appropriate staff, contain the breach, notify those affected by the breach, investigate the breach, and notify the OIPC of significant breaches. The OIPC can investigate privacy breaches formally or informally.
However, there is mandatory reporting of privacy breaches under the CYFSA and PHIPA. Under PHIPA, a HIC is required to notify the OIPC of a privacy breach in prescribed circumstances, which include the use or disclosure without authority, stolen information, a pattern of similar breaches, disciplinary action for breaches, and significant breaches. Further, HICs are required to submit annual reports to the OIPC setting out the number of times personal health information was stolen, lost, used without authority, and disclosed without authority in the previous calendar year.
Under the CYFSA, service providers are required to notify the OIPC of privacy breaches under certain circumstances, including the use or disclosure without authority, stolen information, a pattern of similar breaches, breaches that lead to disciplinary action against an employee, and significant breaches. Similar to PHIPA, service providers under the CYFSA must submit annual reports to the OIPC setting out the number of times personal information was stolen, lost, used without authority, disclosed without authority, and used in a manner outside the scope of its information practices.
Organisations under PIPEDA are required to report breaches of security safeguards involving personal information that pose a real risk of significant harm (also known as the 'RROSH standard') to individuals to the OPC. Organisations are also required to notify individuals about those breaches and keep records of those breaches for a period of at least 24 months. A breach of a security safeguard is defined as the loss of, unauthorised access to, or unauthorised disclosure of personal information resulting from a breach of the organisations' security safeguards or from a failure to establish safeguards. Significant harm includes but is not limited to bodily harm, humiliation, damage to reputation, financial loss, and identity theft.
The factors relevant to determining whether a security breach creates a real risk of significant harm include the sensitivity of the personal information, the probability of misuse of the personal information, and any other prescribed factor (Section 10(1) of PIPEDA).
To limit use, disclosure, and retention under PIPEDA, organisations are to only disclose personal information for the purpose for which it was collected (unless the individual consents), keep personal information for a reasonable time to allow the individual to access it but only as long as needed, and destroy information that is no longer required for an identified purpose or legal requirement.
Under the accuracy principle, organisations are to minimise the possibility of using incorrect personal information. Under the safeguard principle, organisations are to protect personal information against loss or theft and safeguard it against unauthorised access or disclosure.
While there are no regulations related to the processing of children's data and age of consent, the OPC has identified the following tips for services aimed to children and youth:
- limit, or avoid altogether, the collection of personal information;
- be careful about 'inadvertent' collection;
- have an appropriate retention schedule for inactive accounts;
- speak to the specific services being provided to youth;
- make sure users can understand the ask, or know, to engage their parents/guardians;
- consider the user experience;
- make clear who is agreeing to terms and conditions;
- ensure there are proper defaults for the age of users;
- know what is happening on the organisation's own website; and
- prevention is preferable to monitoring.
The accountability principle provides that organisations that transfer personal information to a third party for processing should use contractual or other means to provide a comparable level of protection while the information is being processed by a third party (Schedule 1 of PIPEDA).
This is generally not applicable in Ontario's legislative context.
However, a HIC can disclose personal health information to a researcher if the researcher enters into an agreement with the HIC to comply with the conditions and restrictions that the HIC imposes, if any, relating to the use, security, disclosure, return, or disposal of the information (Section 44 of PHIPA).
Similarly, under FIPPA and the MFIPPA, the head of an institution can disclose personal information for a research purpose if the person receiving the information agrees to comply with certain security and confidentiality terms and conditions prescribed in the regulations.
8. Data Subject Rights
As noted above, individuals generally must be given notice under FIPPA and the MFIPPA when an institution subject to FIPPA or the MFIPPA collects personal information.
Individuals also have the right under FIPPA and the MFIPPA to access any personal information about themselves that is in the custody or under the control of an applicable institution or any other personal information about themselves that is reasonably retrievable by the institution.
Individuals who are given access to their personal information can request correction of errors or omissions, request that a statement of disagreement be attached to the information reflecting corrections that were requested but not made, and require that any person to whom the information has been disclosed within the year before a correction is requested or a statement of disagreement is required to be notified of the correction or statement of disagreement.
Canada has yet to recognise 'a right to be forgotten' or to enact erasure laws. However, injured parties can use the complaint procedure under PIPEDA.
Individuals can make complaints to the OIPC when they believe that an institution has not complied with the privacy rules on personal information. Individuals are encouraged to first resolve the complaint with the institution directly, but they can file a complaint with the OIPC if they believe the institution has not adequately addressed their concerns. The OIPC will investigate and encourage settlement or adjudicate as appropriate and necessary.
FIPPA and the MFIPPA include offences for violations of the rules they provide. These offences include but are not limited to wilful disclosure of personal information, making a request for access or correction of personal information under false pretences, and/or wilfully obstructing OIPC in the performance of their prescribed functions.
Institutions and individuals can be liable for fines of up to CAD 5,000 (approx. €3,380) for these offences (Section 61 of FIPPA and Section 48 of the MFIPPA).
PHIPA contains similar offences including but not limited to wilful collection, use, or disclosure of personal health information in contravention of its provisions and wilfully obstructing the OIPC in the performance of their prescribed functions. In addition to previous amendments stated above, the Fiscal Act amended PHIPA to give the OIPC the power to order that an administrative penalty be paid by persons who have contravened the Act or its regulations (Section 61 of PHIPA). The Fiscal Act also includes a new provision allowing justices to make production orders requiring persons to produce certain documents or data if satisfied that an offence under PHIPA has been or is being committed and that the document or data will provide evidence respecting the offence or suspected offence.
Additionally, section 72 of PHIPA is amended to provide that natural persons are liable for a fine of up to CAD 200,000 (approx. €135,310) and that non-natural persons are liable for a fine of up to CAD 1 million (approx. €676,520).
There is the possibility for imprisonment of natural persons for violations (Section 72 of the PHIPA).
The CYFSA also outlines similar offences, and a person who is guilty of these is liable for a fine of up to CAD 5,000 (approx. €3,380).
Organisations that knowingly contravene certain sections it contains (a failure to retain personal information long enough for individuals to access and correct it, a failure to report security breaches, a failure to maintain records of security breaches, and disciplining or disadvantaging whistle-blowers or obstruct the OPC's investigation of a complaint is guilty of a summary conviction offence and liable to a fine of up to CAD 10,000 (approx. €6,770) or an indictable offence and liable for a fine of up to CAD 100,000 (approx. €67,660) (Section 28 of PIPEDA).
It is an offence under the Privacy Act to obstruct the Privacy Commissioner in their performance of duties and functions under the Act, and each person who commits this offence is liable on summary conviction to a fine of up to CAD 1,000 (approx. €680).
On 19 October 2017, the Canadian Radio-television and Telecommunications Commission ('CRTC') handed down two decisions in response to 3510395 Canada Inc.'s, operating as CompuFinder, challenge to the notice of violation issued under Canada's Anti-Spam Legislation, SC 2010 c 23 ('CASL'). The notice set out a penalty of CAD 1.1 million (pprox.. €744,237).
CompuFinder raised a challenge to the constitutionality of CASL, arguing, among other things, that CASL:
- had not been validly enacted by the Federal Parliament; and
- contravened the Canadian Charter of Rights and Freedoms ('the Charter') by infringing CompuFinder's freedom of expression and other protections conferred by Sections 7, 8, and 11 of the Charter. CompuFinder also challenged the amount of the penalty.
In its two decisions, the CRTC determined CASL to be constitutional and confirmed CompuFinder's violation of CASL. However, it reduced the amount of the monetary penalty to CAD 200,000 (approx. €135,320).
On 5 June 2020, the Federal Court of Appeal ('FCA') released its decision in the appeals raised by CompuFinder in response to two decisions by the CRTC and dismissed a constitutional challenge to CASL brought by CompuFinder in the first detailed judicial consideration of CASL.