Personal Information Protection Act

This Act is current to March 25, 2020 See the Tables of Legislative Changes for this Act’s legislative history, including any changes not in force. Personal Information Protection Act [SBC 2003] CHAPTER 63 Assented to October 23, 2003 Part 1 — Introductory Provisions Definitions 1   In this Act: “commissioner“ […]

This Act is current to March 25, 2020
See the Tables of Legislative Changes for this Act’s legislative history, including any changes not in force.

Personal Information Protection Act

[SBC 2003] CHAPTER 63

Assented to October 23, 2003

Part 1 — Introductory Provisions

Definitions

1   In this Act:

commissioner means the commissioner appointed under
section 37
(1) or 39 (1) of the Freedom of Information and Protection of Privacy Act;

contact information means information to enable an
individual at a place of business to be contacted and includes the name, position name
or title, business telephone number, business address, business email or business fax
number of the individual;

credit report has the same meaning as “report” in section 106 of the
Business Practices and Consumer Protection Act;

credit reporting agency has the same meaning as “reporting
agency” in section
106 of the Business Practices and Consumer Protection Act;

day does not include a holiday or a Saturday;

document includes

(a) a thing on or by which information is stored, and

(b) a document in electronic or similar form;

domestic means related to home or family;

employee includes a volunteer;

employee personal information means personal information
about an individual that is collected, used or disclosed solely for the purposes
reasonably required to establish, manage or terminate an employment relationship between
the organization and that individual, but does not include personal information that is
not about an individual’s employment;

employment includes working under an unpaid volunteer work
relationship;

federal Act means the Personal Information Protection and Electronic Documents Act (Canada);

investigation means an investigation related to

(a) a breach of an agreement,

(b) a contravention of an enactment of Canada or a province,

(c) a circumstance or conduct that may result in a remedy or relief being
available under an enactment, under the common law or in equity,

(d) the prevention of fraud, or

(e) trading in a security as defined in section 1 of the Securities Act if the investigation is conducted by or on behalf of an organization recognized by the British Columbia Securities
Commission to be appropriate for carrying out investigations of trading in
securities,

if it is reasonable to believe that the breach, contravention, circumstance,
conduct, fraud or improper trading practice in question may occur or may have
occurred;

organization includes a person, an unincorporated
association, a trade union, a trust or a not for profit organization, but does not
include

(a) an individual acting in a personal or domestic capacity or acting as an
employee,

(b) a public body,

(c) the Provincial Court, the Supreme Court or the Court of Appeal,

(d) the Nisga’a Government, as defined in the
Nisga’a Final Agreement, or

(e) a private trust for the benefit of one or more designated individuals who are
friends or members of the family of the settlor;

personal information means information about an
identifiable individual and includes employee personal information but does not
include

(a) contact information, or

(b) work product information;

proceeding means a civil, a criminal or an administrative
proceeding that is related to the allegation of

(a) a breach of an agreement,

(b) a contravention of an enactment of Canada or a province, or

(c) a wrong or a breach of a duty for which a remedy is claimed under an
enactment, under the common law or in equity;

public body means

(a) a ministry of the government of British Columbia,

(b) an agency, board, commission, corporation, office or other body designated in,
or added by regulation to, Schedule 2 of the Freedom of Information and Protection of Privacy Act, or

(c) a local public body as defined in the Freedom of Information and Protection of Privacy Act;

work product information means information prepared or
collected by an individual or group of individuals as a part of the individual’s or
group’s responsibilities or activities related to the individual’s or group’s employment
or business but does not include personal information about an individual who did not
prepare or collect the personal information.

Application

3
 
(1) Subject to this section, this Act applies to every organization.

(2) This Act does not apply to the following:

(a) the collection, use or disclosure of personal information, if the collection,
use or disclosure is for the personal or domestic purposes of the individual who is
collecting, using or disclosing the personal information and for no other
purpose;

(b) the collection, use or disclosure of personal information, if the collection,
use or disclosure is for journalistic, artistic or literary purposes and for no other
purpose;

(c) the collection, use or disclosure of personal information, if the federal Act
applies to the collection, use or disclosure of the personal information;

(d) personal information if the Freedom of Information and Protection of Privacy Act applies to the
personal information;

(e) personal information in

(i) a court document,

(ii) a document of a judge of the Court of Appeal, Supreme Court or Provincial
Court, or a document relating to support services provided to a judge of those
courts,

(iii) a document of a master of the Supreme Court,

(iv) a document of a justice of the peace, or

(v) a judicial administration record as defined in Schedule 1 of the Freedom of Information and Protection of Privacy Act;

(f) personal information in a note, communication or draft decision of the
decision maker in an administrative proceeding;

(g) the collection, use or disclosure by a member or officer of the Legislature or
Legislative Assembly of personal information that relates to the exercise of the
functions of that member or officer;

(h) a document related to a prosecution if all proceedings related to the
prosecution have not been completed;

(i) the collection of personal information that has been collected on or before
this Act comes into force.

(3) Nothing in this Act affects solicitor-client privilege.

(4) This Act does not limit the information available by law to a party to a
proceeding.

(5) If a provision of this Act is inconsistent or in conflict with a provision of
another enactment, the provision of this Act prevails unless another Act expressly
provides that the other enactment, or a provision of it, applies despite this
Act.

Part 2 — General Rules Respecting Protection of Personal Information by Organizations

Part 3 — Consent

Implicit consent

8
 
(1) An individual is deemed to consent to the collection, use or disclosure of
personal information by an organization for a purpose if

(a) at the time the consent is deemed to be given, the purpose would be considered
to be obvious to a reasonable person, and

(b) the individual voluntarily provides the personal information to the
organization for that purpose.

(2) An individual is deemed to consent to the collection, use or disclosure of
personal information for the purpose of his or her enrolment or coverage under an
insurance, pension, benefit or similar plan, policy or contract if he or she

(a) is a beneficiary or has an interest as an insured under the plan, policy or
contract, and

(b) is not the applicant for the plan, policy or contract.

(3) An organization may collect, use or disclose personal information about an
individual for specified purposes if

(a) the organization provides the individual with a notice, in a form the
individual can reasonably be considered to understand, that it intends to collect, use
or disclose the individual’s personal information for those purposes,

(b) the organization gives the individual a reasonable opportunity to decline
within a reasonable time to have his or her personal information collected, used or
disclosed for those purposes,

(c) the individual does not decline, within the time allowed under paragraph
(b), the proposed collection, use or disclosure, and

(d) the collection, use or disclosure of personal information is reasonable having
regard to the sensitivity of the personal information in the circumstances.

(4)
Subsection (1) does not authorize an organization to collect, use or
disclose personal information for a different purpose than the purpose to which that
subsection applies.

Part 4 — Collection of Personal Information

Collection of personal information without consent

12
 
(1) An organization may collect personal information about an individual without
consent or from a source other than the individual, if

(a) the collection is clearly in the interests of the individual and consent
cannot be obtained in a timely way,

(b) the collection is necessary for the medical treatment of the individual and
the individual is unable to give consent,

(c) it is reasonable to expect that the collection with the consent of the
individual would compromise the availability or the accuracy of the personal
information and the collection is reasonable for an investigation or a
proceeding,

(d) the personal information is collected by observation at a performance, a
sports meet or a similar event

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed
for the purposes of this paragraph,

(f) the collection is necessary to determine the individual’s
suitability

(i) to receive an honour, award or similar benefit, including an honorary
degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the organization is a credit reporting agency that collects the personal
information to create a credit report and the individual consents at the time the
original collection takes place to the disclosure for this purpose,

(h) the collection is required or authorized by law,

(i) the information was disclosed to the organization under sections 18 to
22,

(j) the personal information is necessary to facilitate

(i) the collection of a debt owed to the organization, or

(ii) the payment of a debt owed by the organization,

(k) the personal information is collected for the purposes of the organization
providing legal services to a third party and the collection is necessary for the
purposes of providing those services, or

(l) the personal information is collected for the purposes of the organization
providing services to a third party if

(i) the third party is an individual acting in a personal or domestic
capacity,

(ii) the third party is providing the information to the organization,
and

(iii) the information is necessary for the purposes of providing those
services.

(2) An organization may collect personal information from or on behalf of another
organization without consent of the individual to whom the information
relates, if

(a) the individual previously consented to the collection of the personal
information by the other organization, and

(b) the personal information is disclosed to or collected by the organization
solely

(i) for the purposes for which the information was previously collected,
and

(ii) to assist that organization to carry out work on behalf of the other
organization.

Part 5 — Use of Personal Information

Use of personal information without consent

15
 
(1) An organization may use personal information about an individual without the
consent of the individual, if

(a) the use is clearly in the interests of the individual and consent cannot be
obtained in a timely way,

(b) the use is necessary for the medical treatment of the individual and the
individual does not have the legal capacity to give consent,

(c) it is reasonable to expect that the use with the consent of the individual
would compromise an investigation or proceeding and the use is reasonable for purposes
related to an investigation or a proceeding,

(d) the personal information is collected by observation at a performance, a
sports meet or a similar event

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed
for the purposes of this paragraph,

(f) the use is necessary to determine suitability

(i) to receive an honour, award or similar benefit, including an honorary
degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the personal information is used by a credit reporting agency to create a
credit report if the individual consented to the disclosure for this
purpose,

(h) the use is required or authorized by law,

(h.1) the personal information was collected by the organization under section 12 (1) (k) or (l) and is used to fulfill the purposes for which it was
collected,

(i) the personal information was disclosed to the organization under sections
18 to 22,

(j) the personal information is needed to facilitate

(i) the collection of a debt owed to the organization, or

(ii) the payment of a debt owed by the organization,

(k) a credit reporting agency is permitted to collect the personal information
without consent under section 12 and the information is not used by the
credit reporting agency for any purpose other than to create a credit report,
or

(l) the use is necessary to respond to an emergency that threatens the life,
health or security of an individual.

(2) An organization may use personal information collected from or on behalf of
another organization without the consent of the individual to whom the information
relates, if

(a) the individual consented to the use of the personal information by the other
organization, and

(b) the personal information is used by the organization solely

(i) for the purposes for which the information was previously collected,
and

(ii) to assist that organization to carry out work on behalf of the other
organization.

Part 6 — Disclosure of Personal Information

Disclosure of personal information without consent

18
 
(1) An organization may only disclose personal information about an individual
without the consent of the individual, if

(a) the disclosure is clearly in the interests of the individual and consent
cannot be obtained in a timely way,

(b) the disclosure is necessary for the medical treatment of the individual and
the individual does not have the legal capacity to give consent,

(c) it is reasonable to expect that the disclosure with the consent of the
individual would compromise an investigation or proceeding and the disclosure is
reasonable for purposes related to an investigation or a proceeding,

(d) the personal information is collected by observation at a performance, a
sports meet or a similar event

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed
for the purposes of this paragraph,

(f) the disclosure is necessary to determine suitability

(i) to receive an honour, award or similar benefit, including an honorary
degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the disclosure is necessary in order to collect a debt owed to the
organization or for the organization to repay an individual money owed to them by the
organization,

(h) the personal information is disclosed in accordance with a provision of a
treaty that

(i) authorizes or requires its disclosure, and

(ii) is made under an enactment of British Columbia or Canada,

(i) the disclosure is for the purpose of complying with a subpoena, warrant or
order issued or made by a court, person or body with jurisdiction to compel the
production of personal information,

(j) the disclosure is to a public body or a law enforcement agency in Canada,
concerning an offence under the laws of Canada or a province, to assist in an
investigation, or in the making of a decision to undertake an
investigation,

(i) to determine whether the offence has taken place, or

(ii) to prepare for the laying of a charge or the prosecution of the
offence,

(k) there are reasonable grounds to believe that compelling circumstances exist
that affect the health or safety of any individual and if notice of disclosure is
mailed to the last known address of the individual to whom the personal information
relates,

(l) the disclosure is for the purpose of contacting next of kin or a friend of an
injured, ill or deceased individual,

(m) the disclosure is to a lawyer who is representing the organization,

(n) the disclosure is to an archival institution if the collection of the personal
information is reasonable for research or archival purposes,

(o) the disclosure is required or authorized by law, or

(p) the disclosure is in accordance with sections 19 to 22.

(2) An organization may disclose personal information to another organization
without consent of the individual to whom the information relates, if

(a) the individual consented to the collection of the personal information by the
organization, and

(b) the personal information is disclosed to the other organization
solely

(i) for the purposes for which the information was previously collected,
and

(ii) to assist the other organization to carry out work on behalf of the first
organization.

(3) An organization may disclose personal information to another organization
without consent of the individual to whom the information relates, if the organization
was authorized by section 12 (2) to collect the personal information
from or on behalf of the other organization.

(4) An organization may disclose personal information to another organization, or to
a public body, without consent of the individual to whom the information relates,
if

(a) the personal information was collected by an organization under section 12 (1) (k) or (l),

(b) the disclosure between the organizations, or between the organization and the
public body, is for the purposes for which the information was collected,

(c) the disclosure is necessary for those purposes, and

(d) for each disclosure under this subsection, the third party referred to in
section 12 (1) (k) or (l), as applicable, consents to the disclosure.

Transfer of personal information in the sale of an organization or its
business assets

20
 
(1) In this section:

business transaction means the purchase, sale, lease,
merger or amalgamation or any other type of acquisition, disposal or financing of an
organization or a portion of an organization or of any of the business or assets of an
organization;

party means a person or another organization that proceeds
with the business transaction.

(2) An organization may disclose personal information about its employees,
customers, directors, officers or shareholders without their consent, to a prospective
party, if

(a) the personal information is necessary for the prospective party to determine
whether to proceed with the business transaction, and

(b) the organization and prospective party have entered into an agreement that
requires the prospective party to use or disclose the personal information solely for
purposes related to the prospective business transaction.

(3) If an organization proceeds with a business transaction, the organization may
disclose, without consent, personal information of employees, customers, directors,
officers and shareholders of the organization to a party on condition that

(a) the party must only use or disclose the personal information for the same
purposes for which it was collected, used or disclosed by the organization,

(b) the disclosure is only of personal information that relates directly to the
part of the organization or its business assets that is covered by the business
transaction, and

(c) the employees, customers, directors, officers and shareholders whose personal
information is disclosed are notified that

(i) the business transaction has taken place, and

(ii) the personal information about them has been disclosed to the
party.

(4) A prospective party may collect and use personal information without the consent
of the employees, customers, directors, officers and shareholders of the organization in
the circumstances described in subsection (2) if the prospective party complies with
the conditions applicable to that prospective party under that subsection.

(5) A party may collect, use and disclose personal information without the consent
of the employees, customers, directors, officers and shareholders of the organization in
the circumstances described in subsection (3) if the party complies with the
conditions applicable to that party under that subsection.

(6) If a business transaction does not proceed or is not completed, a prospective
party must destroy or return to the organization any personal information the
prospective party collected under subsection (2) about the employees, customers,
directors, officers and shareholders of the organization.

(7) This section does not authorize an organization to disclose personal information
to a party or prospective party for purposes of a business transaction that does not
involve substantial assets of the organization other than this personal
information.

(8) A party or prospective party is not authorized by this section to collect, use
or disclose personal information that an organization disclosed to it in contravention
of subsection (7).

Disclosure for research or statistical purposes

21
 
(1) An organization may disclose, without the consent of the individual, personal
information for a research purpose, including statistical research, only if

(a) the research purpose cannot be accomplished unless the personal information is
provided in an individually identifiable form,

(b) the disclosure is on condition that it will not be used to contact persons to
ask them to participate in the research,

(c) linkage of the personal information to other information is not harmful to the
individuals identified by the personal information and the benefits to be derived from
the linkage are clearly in the public interest,

(d) the organization to which the personal information is to be disclosed has
signed an agreement to comply with the following:

(i) this Act;

(ii) the policies and procedures relating to the confidentiality of personal
information of the organization that collected the personal information;

(iii) security and confidentiality conditions;

(iv) a requirement to remove or destroy individual identifiers at the earliest
reasonable opportunity;

(v) prohibition of any subsequent use or disclosure of that personal information
in individually identifiable form without the express authorization of the
organization that disclosed the personal information, and

(e) it is impracticable for the organization to seek the consent of the individual
for the disclosure.

(2)
Subsection (1) does not authorize an organization to disclose personal
information for market research purposes.

Part 7 — Access to and Correction of Personal Information

Access to personal information

23
 
(1) Subject to subsections (2) to (5), on request of an
individual, an organization must provide the individual with the following:

(a) the individual’s personal information under the control of the
organization;

(b) information about the ways in which the personal information referred to in
paragraph
(a) has been and is being used by the organization;

(c) the names of the individuals and organizations to whom the personal
information referred to in paragraph (a) has been disclosed by the
organization.

(2) An organization that

(a) is a credit reporting agency, and

(b) receives a request under subsection (1)

must also provide the individual with the names of the sources from which it
received the personal information unless it is reasonable to assume the individual can
ascertain those sources.

(3) An organization is not required to disclose personal information and other
information under subsection (1) or (2) in the following
circumstances:

(a) the information is protected by solicitor-client privilege;

(b) the disclosure of the information would reveal confidential commercial
information that if disclosed, could, in the opinion of a reasonable person, harm the
competitive position of the organization;

(c) the information was collected or disclosed without consent, as allowed under
section
12 or 18, for the purposes of an investigation and the
investigation and associated proceedings and appeals have not been
completed;

(d) [Repealed 2004-67-23.]

(e) the information was collected or created by a mediator or arbitrator in the
conduct of a mediation or arbitration for which he or she was appointed to
act

(i) under a collective agreement,

(ii) under an enactment, or

(iii) by a court;

(f) the information is in a document that is subject to a solicitor’s
lien.

(3.1) A credit reporting agency is not required to disclose the names of the
individuals and organizations to whom the personal information was last disclosed by the
agency in a credit report more than 12 months before the request under subsection
(1) was made.

(4) An organization must not disclose personal information and other information
under subsection (1) or (2) in the following circumstances:

(a) the disclosure could reasonably be expected to threaten the safety or physical
or mental health of an individual other than the individual who made the
request;

(b) the disclosure can reasonably be expected to cause immediate or grave harm to
the safety or to the physical or mental health of the individual who made the
request;

(c) the disclosure would reveal personal information about another
individual;

(d) the disclosure would reveal the identity of an individual who has provided
personal information about another individual and the individual providing the
personal information does not consent to disclosure of his or her identity.

(5) If an organization is able to remove the information referred to in subsection (3)
(a), (b) or (c) or (4) from a document that contains personal information
about the individual who requested it, the organization must provide the individual with
access to the personal information after the information referred to in subsection (3)
(a), (b) or (c) or (4) is removed.

Part 8 — Administration

Part 9 — Care of Personal Information

Part 10 — Role of Commissioner

General powers of commissioner

36
 
(1) In addition to the commissioner’s powers and duties under Part 11 with
respect to reviews, the commissioner is responsible for monitoring how this Act is
administered to ensure that its purposes are achieved, and may do any of the
following:

(a) whether a complaint is received or not, initiate investigations and audits to
ensure compliance with any provision of this Act, if the commissioner is satisfied
there are reasonable grounds to believe that an organization is not complying with
this Act;

(b) make an order described in section 52 (3), whether or not a review is
requested;

(c) inform the public about this Act;

(d) receive comments from the public about the administration of this
Act;

(e) engage in or commission research into anything affecting the achievement of
the purposes of this Act;

(f) comment on the implications for protection of personal information of programs
proposed by organizations;

(g) comment on the implications of automated systems for the protection of
personal information;

(h) comment on the implications for protection of personal information of the use
or disclosure of personal information held by organizations for document
linkage;

(i) authorize the collection of personal information by an organization from
sources other than the individual to whom the personal information relates;

(j) bring to the attention of an organization any failure of the organization to
meet the obligations established by this Act;

(k) exchange information with any person who, under legislation of another
province or of Canada, has powers and duties similar to those of the
commissioner;

(l) enter into information-sharing agreements for the purposes of paragraph
(k) and into other agreements with the persons referred to in that
paragraph for the purpose of coordinating their activities and providing for
mechanisms for handling complaints.

(2) Without limiting subsection (1), the commissioner may investigate and
attempt to resolve complaints that

(a) a duty imposed under this Act has not been performed,

(b) an extension of time for responding to a request is not in accordance with
section 29,

(c) a fee required by an organization under this Act is not reasonable,

(d) a correction of personal information requested under section 24
has been refused without justification, and

(e) personal information has been collected, used or disclosed by an organization
in contravention of this Act.

Powers of commissioner in conducting investigations, audits or
inquiries

38
 
(1) For the purposes of conducting an investigation or an audit under section 36
or an inquiry under section 50, the commissioner may make an order
requiring a person to do either or both of the following:

(a) attend, in person or by electronic means, before the commissioner to answer
questions on oath or affirmation, or in any other manner;

(b) produce for the commissioner a document in the custody or under the control of
the person, including a document containing personal information.

(1.1) The commissioner may apply to the Supreme Court for an order

(a) directing a person to comply with an order made under subsection
(1), or

(b) directing any directors and officers of a person to cause the person to comply
with an order made under subsection (1).

(2) The commissioner may

(a) examine any information in a document, including personal information, and
obtain copies or extracts of documents containing information

(i) found in any premises entered under paragraph (c), or

(ii) provided under this Act, and

(b) [Repealed 2007-9-96.]

(c) at any reasonable time, enter any premises, other than a personal residence,
occupied by an organization, after satisfying any reasonable security requirements of
the organization relating to the premises.

(3) If information to which solicitor-client privilege applies is disclosed by a
person to the commissioner at the request of the commissioner, or obtained by or
disclosed to the commissioner under subsection (1) or (2) (a), the solicitor-client
privilege is not affected by the way in which the commissioner has received the
information.

(4) The commissioner may require an individual to attempt to resolve the
individual’s dispute with an organization in the way directed by the commissioner before
the commissioner begins or continues a review or investigation under this Act of an
applicant’s complaint against the organization.

(5) Despite any other enactment or any privilege afforded by the law of evidence, an
organization must provide to the commissioner any document, or a copy of any document,
required under subsection (1) or (2) (a)

(a) if the commissioner does not specify a period for the purpose, within 10 days
of the date of the commissioner’s request for the document, or

(b) if the commissioner specifies a period, within the period
specified.

(6) If an organization is required to produce a document under subsection
(1) or (2) (a) and it is not practicable to make a copy of
the document, the organization must provide access for the commissioner to examine the
document at its site.

(7) Subject to subsection (8), after completing a review,
investigating a complaint, or conducting an audit, the commissioner must return a
document, or a copy of a document, produced by the individual or
organization.

(8) On request from an individual or an organization, the commissioner must return a
document, or a copy of a document, produced by the individual or organization within 10
days of the date on which the commissioner receives the request.

Restrictions on disclosure of information by commissioner and
staff

41
 
(1) The commissioner and anyone acting for or under the direction of the
commissioner must not disclose any information obtained in performing their duties or
exercising their powers and functions under this Act, except as provided in subsections
(2) to (6).

(2) The commissioner may disclose, or may authorize anyone acting on behalf of or
under the direction of the commissioner to disclose, information that is necessary
to

(a) conduct an investigation, audit or inquiry under this Act, or

(b) establish the grounds for findings and recommendations contained in a report
under this Act.

(3) In conducting an investigation, audit or inquiry under this Act and in a report
under this Act, the commissioner and anyone acting for or under the direction of the
commissioner must take every reasonable precaution to avoid disclosing and must not
disclose

(a) any personal information an organization would be required or authorized to
refuse to disclose if it were contained in personal information requested under
section
27, or

(b) whether information exists, if an organization in refusing to provide access
does not indicate whether the information exists.

(4) The commissioner may disclose to the Attorney General information relating to
the commission of an offence against an enactment of British Columbia or Canada if the
commissioner considers there is evidence of an offence.

(5) The commissioner may disclose, or may authorize anyone acting for or under the
direction of the commissioner to disclose, information in the course of a prosecution,
application or appeal referred to in section 39.

(6) The commissioner may disclose, or may authorize anyone acting for or under the
direction of the commissioner to disclose, information in accordance with an
information-sharing agreement entered into under section 36 (1) (l).

Part 11 — Reviews and Orders

Inquiry by commissioner

50
 
(1) If a matter is not referred to a mediator or is not settled under section 49,
the commissioner may conduct an inquiry and decide all questions of fact and law arising
in the course of the inquiry.

(2) An inquiry may be conducted in private.

(3) The individual who makes a request, the organization concerned and any person
given a copy of the request must be given an opportunity to make representations to the
commissioner during the inquiry.

(4) The commissioner may decide

(a) whether representations are to be made verbally or in writing, and

(b) whether a person is entitled to be present during, to have access to or to
comment on representations made to the commissioner by another person.

(5) The individual who makes a request, the organization concerned and any person
given a copy of the request may be represented at the inquiry by counsel or by an
agent.

(6) If the matter on which a complaint is based is referred under section 49
to a mediator and is not settled by the mediation, the inquiry respecting the complaint
must be completed within 30 days of the day on which the mediation ends.

(7) If a complaint is not referred under section 49 to a mediator and the
commissioner decides to hold an inquiry respecting the review, the inquiry must be
completed within 30 days of the day on which the request is delivered under section 47
(1).

(8) An inquiry respecting a review must be completed within 90 days of the day on
which the request is delivered under section 47 (1), unless the commissioner

(a) specifies a later date, and

(b) notifies

(i) the individual who made the request,

(ii) the organization concerned, and

(iii) any person given a copy of the request

of the date specified under paragraph (a).

(9) The period of an adjournment under section 46 (3) must not be
included for the purpose of calculating a deadline under subsection (7) or (8) of this
section.

Commissioner’s orders

52
 
(1) On completing an inquiry under section 50, the commissioner
must dispose of the issues by making an order under this section.

(2) If the inquiry is into a decision of an organization to give or to refuse to
give access to all or part of an individual’s personal information, the commissioner
must, by order, do one of the following:

(a) require the organization

(i) to give the individual access to all or part of his or her personal
information under the control of the organization,

(ii) to disclose to the individual the ways in which the personal information has
been used,

(iii) to disclose to the individual names of the individuals and organizations to
whom the personal information has been disclosed by the organization, or

(iv) if the organization is a credit reporting agency, to disclose to the
individual the names of the sources from which it received personal information
about the individual,

if the commissioner determines that the organization is not authorized or
required to refuse access by the individual to the personal information;

(b) either confirm the decision of the organization or require the organization to
reconsider its decision, if the commissioner determines that the organization is
authorized to refuse the individual access to his or her personal
information;

(c) require the organization to refuse the individual access to all or part of his
or her personal information, if the commissioner determines that the organization is
required to refuse that access.

(3) If the inquiry is into a matter not described in subsection (2), the commissioner
may, by order, do one or more of the following:

(a) confirm that a duty imposed under this Act has been performed or require that
a duty imposed under this Act be performed;

(b) confirm or reduce the extension of a time limit under section
31;

(c) confirm, excuse or reduce a fee, or order a refund, in the appropriate
circumstances;

(d) confirm a decision not to correct personal information or specify how personal
information is to be corrected;

(e) require an organization to stop collecting, using or disclosing personal
information in contravention of this Act, or confirm a decision of an organization to
collect, use or disclose personal information;

(f) require an organization to destroy personal information collected in
contravention of this Act.

(4) The commissioner may specify any terms or conditions in an order made under this
section.

(5) The commissioner must give a copy of an order made under this section to all of
the following:

(a) the individual who made the request;

(b) the organization concerned;

(c) any person given notice under section 48;

(d) the minister responsible for this Act.

Part 12 — General Provisions

Power to make regulations

58
 
(1) The Lieutenant Governor in Council may make regulations referred to in section 41
of the Interpretation Act.

(2) Without limiting subsection (1), the Lieutenant Governor in Council may make regulations as follows:

(a) prescribing procedures to be followed in making and responding to requests
under this Act;

(a.1) permitting prescribed categories of applicants to make requests under this Act
orally instead of in writing;

(b) authorizing the disclosure of personal information relating to the mental or
physical health of individuals to medical or other experts to determine, for the
purposes of section 23, if disclosure of that information could reasonably be
expected to result in grave and immediate harm to the safety of or the mental or
physical health of those individuals;

(c) prescribing procedures to be followed or restrictions considered necessary
with respect to the disclosure and examination of information referred to in paragraph (b);

(d) prescribing special procedures for giving individuals access to personal
information about their mental or physical health;

(e) prescribing the classes of individuals who may act for minors, incompetents,
deceased persons or any other individuals under this Act and regulating the manner in
which, and the extent to which, any rights or powers of individuals under this Act may
be exercised on their behalf;

(f) respecting fees, including circumstances in which fees

(i) are not payable, or

(ii) must not be above a prescribed amount or percentage;

(g) prescribing sources of personal information for the purposes of section 12 (1)
(e), 15 (1) (e) or 18 (1) (e);

(h) for any other purpose contemplated by this Act.

(3) A regulation under subsection (2) (b) may

(a) specify categories of experts to whom personal information relating to the
mental or physical health of individuals may be disclosed to assess whether its
disclosure to other persons could reasonably be expected to result in grave and
immediate harm to the safety of or the mental or physical health of those
individuals;

(b) impose on members of a category of experts obligations respecting the use and
disclosure of personal information obtained to make an assessment described in
paragraph
(a);

(c) provide differently for different categories of experts.

(4) A regulation made under subsection (1) or (2) may provide differently for
different organizations, individuals, classes of organizations or classes of
individuals.

Source Article

Next Post

Computer Security | FTC Consumer Information

Tue Apr 7 , 2020
Scammers, hackers and identity thieves are looking to steal your personal information – and your money. But there are steps you can take to protect yourself, like keeping your computer software up-to-date and giving out your personal information only when you have good reason. Update Your Software. Keep your software […]