Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Canada - Data Protection

History of Data Protection in CANADA

The Privacy Act 1980 marked Canada's first attempt to legislate in the area of data protection. However, the rapid advances in information technology and the pressure to conform to European standards to facilitate cross- continental trade meant that new legislation was soon required.

The Canadian response was the Personal Information Protection and Electronic Documents Act, which were implemented in three stages, from 1 January 2001 to 1 January 2004. The Act incorporates the 'Privacy Principles', a list of principles that were developed by the Canadian Standards Association.

In 2002, the European Commission decided that the Canadian Personal Information Protection and Electronic Documents Act did provide adequate safeguards for certain personal data to flow freely from the EU to Canada, in line with Directive 95/46/EC.

Summary of Data Protection in CANADA

Title of Data Protection Legislation Personal Information Protection and Electronic Documents Act (PIPEDA)
Name of supervisory authority Privacy Commissioner of Canada
General Powers of supervisory authority The key powers of the commissioner are the powers to: Investigate complaints and conducting audits; Publish information about personal information-handling practices in the public and private sector; Conduct research into privacy issues;Promote awareness and understanding of privacy issues by the Canadian public.
(See Privacy Commissioner's website). Individuals can complain to the Commissioner on any matter listed in Section 29 of the privacy Act. The commissioner may also investigate complaints regarding private sector bodies under section 11 of PIPEDA.
Who has standing to notify the supervisory authority of breaches? Anybody. See s11(1) of PIPEDA.
What are the penalties for data controllers if they breach the law? Section 16 of PIPEDA sets out the specific "remedies" available to the court "in addition to any other remedies it may give". These are a) ordering an organisation to correct it practices, b) order an organisation to publish a notice of any action taken or proposed to be taken to correct its practices, and c) award damages to the complainant, "including damages for any humiliation that the complainant has suffered".
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Not in the data protection legislation.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? Section 2(1) of PIPEDA states that 'personal health information' is information about 'living or deceased' individuals, whilst 'personal information' is information about an identifiable individual. Section 3(m) of the Privacy Act 1980 states that 'personal information' does not include information about an individual who has been dead for more than 20 years.
Who is able to indirectly identify the data subject? This is not mentioned in the Canadian legislation.

Laws and Regulations

Links to Provincial/Territorial laws and institutions

ALBERTA

BRITISH COLOMBIA

MANITOBA

NEW BRUNSWICK

NORTH WESTERN TERRITORIES

NOVA SCOTIA

ONTARIO

QUEBEC

SASKATCHEWAN

YUKON TERRITORY