In addition to Canadian Federal privacy legislation – the Privacy Act and the Personal Information Protection and Electronic Documents Act, or PIPEDA – a number of Canadian provinces have also established their own substantially similar privacy statutes. Organizations operating in these provinces must respect the provincial legislation with respect to the collection, use or disclosure of personal information as well as the other federal regulations.
Provincial & Territorial Privacy Laws
As Canada’s privacy protection model takes a co-regulatory approach, a number of provinces and territories have established legislation with respect to the collection, use or disclosure of personal information within private sector organizations in that specific province or territory. While federal governments have jurisdiction over matters that are national, international or interprovincial, the provincial and territorial governments are responsible for exercising jurisdiction over local matters.
While certain provincial laws apply to the provincial public sector, some provinces have developed laws that apply to the private sector as well. Below is an outline of the provinces and territories with privacy protection legislation:
- Freedom of Information and Protection of Privacy Act (2000)
- Health Information Act (2001)
- Personal Information Protection Act (2004)*
- Freedom of Information and Protection of Privacy Act (1996)
- Personal Information Protection Act (2004)*
- Privacy Act (1996)
- Personal Health Information Access and Protection of Privacy Act, or Bill 24: E-Health Act (2008)
- Privacy Act (2008)
- Freedom of Information and Protection of Privacy Act (1997)
- Personal Health Information Act (1997)
Newfoundland & Labrador
- Access to Information and Protection of Privacy Act (2002)
- Privacy Act (1990)
- Personal Health Information Act (to be proclaimed)
- Freedom of Information and Protection of Privacy Act (1990)
- Personal Health Information Protection Act (2004)*
- Municipal Freedom of Information and Protection of Privacy Act (1990)
Prince Edward Island
- An Act Respecting the Protection of Personal Information in the Private Sector (1993)*
- An Act Respecting Access to Documents held by Public Bodies and the Protection of Public Information (1982)
- Freedom of Information and Protection of Privacy Act (1990)
- Health Information Protection Act (1999)
- Local Authority Freedom of Information and Protection of Privacy Act (1990)
- Privacy Act (1978)
Substantially Similar Legislation
In the list above, provincial legislation marked with an asterisk (*) have been declared substantially similar to the PIPEDA, which is the federal legislation that governs the collection, use or disclosure of personal information by private sector organizations. According to the declaration, substantially similar laws provide privacy protection consistent with and to an equivalent level as the PIPEDA.
This means that these provincial legislations must incorporate the ten principles in the PIPEDA (i.e. accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance).
Substantially similar laws also must establish an independent and effective oversight body, a Privacy Commissioner, with the authority to investigate violations, seek redress and restrict the collection, use and disclosure of personal data.
Organizations in Alberta, British Columbia, Ontario and Quebec are subject to provincial privacy protection legislation, thus are exempt from parts of the PIPEDA. However, the PIPEDA continues to govern the collection, use and disclosure of personal data with regards to federal work and information outside of those provinces.
In order to qualify as substantially similar, provincial legislation must undergo evaluation by the federal Privacy Commissioner. The Privacy Commissioner rules if the legislation is equal to or superior to the federal law in terms of the quality of privacy protection it can provide. The federal law represents the threshold.
Provincial Privacy Commissioners: Roles & Responsibilities
Provincial Privacy Commissioners and their respective Offices are established to fulfill the mandates created under provincial privacy legislation. They function independently and offer resources, information and assistance to the public in privacy protection and access of personal information. Privacy commissioners have regulatory powers and oversight responsibilities for provincial privacy legislation.
Provincial Privacy Commissioners are appointed by their provincial Legislative Assembly. As officers of their provincial Legislature, they are responsible for reporting to the Assembly. Privacy commissions function independently from the government.
Under substantially similar privacy legislation in the provinces of Alberta, British Columbia, Ontario and Quebec, provincial Privacy Commissioners have the authority to:
- Investigate, mediate and resolve access to information disputes and privacy complaints.
- Investigate the ways in which personal data is collected, used and disclosed to ensure compliance with privacy legislation.
- Issue binding orders.
- Conduct audits to ensure compliance with privacy legislation.
- Authorize collection of personal information.
- Research areas of information access and privacy rights.
- Analyze access and privacy implications of proposed legislation, programs and policies.
- Issue findings on privacy implications of new technologies.
- Increase public awareness on information access and privacy rights.
Provinces without substantially similar privacy legislation, or without Privacy Commissioners, rely on an Ombudsperson and his/her Office to resolve privacy issues. Provinces with an Office of the Ombudsman include Manitoba, New Brunswick and Yukon Territory.
The Ombudsperson is appointed by a committee of their provincial Legislature. This person functions as an independent, non-partisan Officer of their provincial Legislative assembly. He or she is responsible for:
- Investigating privacy complaints made by individuals who believe they have been unfairly dealt with. Such investigations may be conducted of government departments, municipalities, school districts, district education councils, regional health authorities, Crown agencies and provincial agencies. Investigations are independent and confidential in nature.
- Resolving complaints informally, if and when appropriate. If complaints cannot be resolved informally, the Ombudsperson must make a recommendation to the appropriate authorities.
- Conducting a systemic review on principles of administration and compliance with access to information and privacy rights.
- Promoting principles of fairness, equity, openness and accountability in governing bodies with regards to privacy protection.
As a result of investigations or reviews, the Ombudsperson has the authority to make a finding, facilitate a resolution or make a recommendation for corrective actions. However, the Ombudsperson cannot require the government to act. Furthermore, the Ombudsperson is not authorized to investigate complaints regarding any of the following areas:
- Federal government
- Judges and functions of any court
- Criminal matters
- Private companies and individuals
- Matters of the Executive Council, or related committees
The federal Office of the Privacy Commissioner, the Information and Privacy Commissioner of Alberta and the Information and Privacy Commissioner of British Columbia share responsibilities for private sector privacy legislation. As of 2008, they have agreed upon a Memorandum of Understanding, which supports federal and provincial collaboration and cooperation. This enables the federal and provincial Privacy Commissioners to achieve the following objectives:
- Leverage the resources of all three Offices to maximize ability and impact and reduce overlap and inefficiencies.
- Improve knowledge sharing and develop relationships between the Offices to provide consistent, coordinated, efficient oversight of private sector privacy.
- Carry out Privacy Commissioners’ joint instructions.
Collaboration between the Offices is focused on the following four areas:
- The Offices will identify and respond to enforcement issues through a process of coordinated consultation.
- The Offices will identify common principles and areas of mutual policy interest.
- The Offices will consult with each other to develop and implement appropriate strategies.
- The Offices will focus on emerging privacy issues to ensure relevant, proactive and consistent responses as much as possible.
3. Public Education and Compliance Resources
- Public education initiatives will be developed in a collaborative manner, where appropriate and where resources allow.
- This will ensure consistency in private sector privacy compliance.
4. Information Sharing
- This will take place on areas of mutual interest to increase knowledge and understanding.
In order to achieve the above objectives, the Offices have set up the Private Sector Privacy (PSP) Forum. Each Office is committed to sending representatives to participate in the Forum’s monthly and annual meetings. The PSP Forum is responsible for carrying out the following activities:
- Develop protocols for information sharing; determining jurisdiction; transferring complaints; carrying out parallel and joint investigations.
- Find opportunities to develop collaborative policy and public education programs.
- Identify opportunities for collaborating on internal protocols, including templates, reporting formats and case management systems.
- Consult on issues of jurisdiction between Offices, regarding dispute resolution.
- Participate in staff exchanges.
- Sponsor, support and participate in conferences and other training events.
This article discusses the roles, responsibilities and mandates of provincial Privacy Commissioners and their Offices. It examines how their jurisdiction is different from the Federal Privacy Commissioner and the OPC. The concept of “substantially similar” legislation is defined and outlined. Finally, the article explores areas and mechanisms for collaboration between provincial and federal privacy commissioners.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Canadian government and legal system; division of powers (I.A.a.ii.)
- Office of the Federal Privacy Commissioner (II.B.e.i.1.a.)
- Provincial and Territorial Privacy Commissioners (II.B.e.i.1.b.)
- Canadian Private Sector Laws (III.A.)