Share your views on modernizing Canada’s Privacy Act

A modern Privacy Act should enhance Canadians’ trust in how federal public bodies treat, manage and protect their personal information. The Government of Canada’s vision is for a modern Act that better reflects contemporary expectations about how federal public bodies should protect individuals’ personal information and make better use of their information to keep Canadians safe, provide innovative solutions to the challenges Canadians face, and make Canadians’ lives easier.  A modernized Privacy Act should reflect how federal public bodies are effective stewards of the personal information Canadians entrust to them, while allowing them to improve and adapt to new changes in society and technology over time.  

Three supporting pillars 

This vision for modernizing the Privacy Act is supported by three pillars:

1. Respect for individuals based on well established rights and obligations for the protection of personal information that are fit for the digital age.
   
   
2. Accountability that is both meaningful and transparent. Being accountable means federal public bodies demonstrating that they have strong governance and oversight practices to help ensure they are responsible stewards of the personal information in their hands.
   
   
3. Adaptability to allow federal public bodies to innovate. New technologies, new business models, new capabilities, disruptive change, and unforeseen circumstances are the norm today. A modern Act should create a flexible framework that supports federal public bodies in effectively dealing with constant change. A one-size-fits-all approach to personal information regulation would reflect neither individuals’ expectations nor the variety of contexts in which federal public bodies collect, use and share personal information. 

Ensuring essential equivalence with other leading data protection regimes

The Privacy Act is only one component of an increasingly global framework that links regulation of personal information practices in both the public and the private sectors across many jurisdictions. The Act should strive to be consistent with other leading data-protection regimes in Canada and elsewhere to ensure a comparable equivalence with the core requirements of those regimes. At the same time, the Privacy Act has many unique features that have served Canadians well over the years and the Act remains a strong foundation for made-in-Canada enhancements.

One place to start is stronger alignment between the Privacy Act and the federal legislation that applies to the private sector, the Personal Information Protection and Electronic Documents Act. Coherence between these federal laws can simplify the personal information protection regime for everyone, enhance domestic interoperability, prevent gaps in accountability where public and private sector entities interact, and further confirm the Privacy Act’s alignment with established global standards. Although they sometimes use different terminology and approaches, both Acts were influenced by the OECD’s foundational Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The OECD Guidelines were established in 1980 and updated in 2013 to reflect important developments in international data protection, including the evolution of Convention 108, the APEC Privacy Framework, and Europe’s General Data Protection Regulation. A modernized Privacy Act should reflect important ongoing international developments as well.

Technological neutrality 

A modern Privacy Act should emphasize technological neutrality. This will allow federal public bodies to explore different and new means of carrying out their roles and ensure the Act retains its relevance in the face of new technologies. It will also allow them to regulate new practices and respond quickly to change.

The Privacy Act plays an important role in guiding the federal government’s relationships with individuals. An additional objective of Privacy Act modernization is to advance reconciliation with Indigenous peoples in Canada as there are opportunities for the Privacy Act to acknowledge, affirm and empower Indigenous individuals, communities and governments.  

While this public consultation offers an opportunity for all Canadians, including Indigenous people, to respond to some ideas for amending the Privacy Act, ongoing discussions with Indigenous governments and organizations have revealed some ways in which the Act may uniquely impact Indigenous individuals and communities. As well, addressing the control by Indigenous peoples over their information and data is an important step toward reconciliation. The Department of Justice Canada continues its discussions with Indigenous governments and organizations to gain further insight on some issues that have been highlighted through earlier discussions, such as: 

• Reflecting the diversity of Indigenous governments: Consideration is being given to replacing the current definition of “aboriginal government” with a more flexible definition that reflects the diversity of Indigenous governance models.
  
  
• Information-sharing partnerships: In recognition of the unique nature, sensitivity and amount of personal information that federal public bodies may hold in relation to Indigenous people, a modernized Privacy Act might facilitate information-sharing with Indigenous governments and their institutions for a broader range of purposes than those currently recognized under paragraph 8(2)(f) of the Act. Addressing the need for such sharing of information with Indigenous governments and their communities is one way to help Indigenous peoples move towards self-governance.
  
  
• Continued disclosures for claims research: Recognizing that advancing historical claims can require and justify the disclosure of personal information, the Privacy Act allows the federal government to disclose personal information for the purposes of “researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada.” One issue to explore is the disclosure of personal information for such purposes.
  
  
• New governance mechanisms to support consultative approaches: The protection of and access to the personal information of Indigenous people can raise particularly complex considerations. Indigenous organizations and governments want to exercise control over decisions involving the personal information of their members. New mechanisms and tools may help address these considerations.
  
  
• Special Indigenous interests in communal privacy protection: Since individual and communal Indigenous privacy interests can be deeply intertwined, this raises the question of whether the Privacy Act could reflect the unique concept of communal privacy interests. 

Earlier this year, the Government of Canada launched a review of the Access to Information Act. This initiative will examine the legislative framework, consider opportunities to improve proactive publication to make information openly available, and assess processes and systems to improve service and reduce delays. The Government of Canada will engage Canadians on these important issues and will also seek the views of Indigenous peoples on aspects of the Access to Information Act that are of particular importance to them. 

The Privacy Act and the Access to Information Act are both federal statutes that have quasi-constitutional status. There are similar provisions and elements in both Acts, including nearly identical exceptions and exemptions to providing access to records and personal information that share the same public interest rationales, such as security, confidentiality, and privacy. 

These aspects of the Privacy Act will benefit from public input to the Government’s review of the Access to Information Act.  Accordingly, this discussion paper will not address some of these common elements, including the exceptions and exemptions to the right of accessing one’s personal information. These will be reviewed at a later date.

The title of the Act could be amended to more accurately reflect that it governs and regulates personal informational privacy

Despite its title, the Privacy Act is not the sole source of “privacy” protection in Canada, even at the federal level. Canadian law protects many different types of privacy interests through a combination of constitutional instruments, the Criminal Code, the Civil Code of Quebec, the common law, and other federal, provincial and territorial legislation.   

For its part, the Privacy Act specifically addresses the privacy of personal information, as it governs the collection, use, disclosure, and retention of information that relates to identifiable individuals. In order to reflect this underlying aim, the title of the Act could be changed to describe it as a personal information protection law, as is currently reflected in the Act’s French title (Loi sur la protection des renseignements personnels).   

The Act’s purpose clause could reflect the important underlying public objectives of federal public-sector privacy legislation

The current purpose clause states that “[t]he purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a federal public body and that provide individuals with a right of access to that information.” This statement reflects the Act’s legislative history more than its broader public objectives. A modernized purpose clause could provide better guidance for interpretation by clearly stating the important underlying objectives of federal public sector data protection legislation, notably: 

• protecting individuals’ human dignity, personal autonomy, and self-determination; 
• enhancing public trust and confidence in government; 
• promoting the responsible use and sharing of data to advance government objectives in the public interest; 
• promoting effective and accountable public governance;
• advancing reconciliation with Indigenous peoples in Canada by promoting improved data sharing with Indigenous governments and communities; and
• supporting sound, ethical and evidence-based public sector decision making. 

The Act could include personal information protection principles similar to those under the Personal Information Protection and Electronic Documents Act to guide, support, and extend the protection of individuals’ personal information

The Privacy Act could incorporate a number of internationally recognized principles for protecting personal information, such as: (i) Accountability; (ii) Identifying purposes; (iii) Consent; (iv) Limiting collection; (v) Limiting use, disclosure and retention; (vi) Accuracy; (vii) Safeguards; (viii) Openness and transparency; (ix) Individual access; and (x) Challenging compliance.  Adding such principles to the Privacy Act would set the baseline expectations for Canadians and federal public bodies as to how personal information should be managed and protected in the federal public sector. As well, since these principles would be consistent with those of the Personal Information Protection and Electronic Documents Act, this would harmonize federal regulation of the public and private privacy sectors.  

For additional details and a more in-depth discussion on the rationale for adding principles to the Act, and what these principles could entail, please consult our annex here.

A number of definitions and concepts in the Act could be updated, and others could be introduced

There are a number of areas where the Act should provide clearer rules about its scope – what it covers and when its full protections are engaged. A risk-based approach to the protection of personal information has been emerging as an international best practice. Changes under consideration include:

• Applying the Act to “federal public bodies” : Currently, the Privacy Act applies to “government institutions” as defined under the Act. While this term covers a comprehensive range of governmental institutions headed by a minister, it also includes many federal public bodies that are not core government departments or agencies. Changing “government institution” to “federal public body” would make it clear that many non-governmental federal entities are also subject to the Act.
  
  
• Updating and clarifying the definition of “personal information” : The current Privacy Act defines “personal information” as “information about an identifiable individual that is recorded in any form.” It includes a number of examples of what constitutes personal information, and also exempts certain information for the purposes of the use and disclosure provisions of the Act (and for access requests under the Access to Information Act for records that contain personal information). Proposed changes could include: 
  • Including unrecorded personal information: Removing the current requirement that personal information be “recorded” could simplify the definition. Many stakeholders have recommended this amendment as it would make the Act consistent with the Personal Information Protection and Electronic Documents Act and with the approach taken in many other jurisdictions. However, since the Act is organized around the concept of a “record,” it is unclear what practical benefits would follow from expanding the definition to include unrecorded information.  Many rights and obligations under the Act could not possibly apply to unrecorded information, such as an individual’s right to access and correct their personal information, a federal public body’s obligations to retain such information, and certain rules for use and disclosure.  Additional input on the practical benefits of such a change is needed.
  • Clarifying when an individual is “identifiable” : The Act could provide criteria for determining when information is about an “identifiable individual” and thus subject to the Act’s requirements. Sensitivity to context would be particularly important, as different considerations might be appropriate depending on the circumstances.  For example, could someone reasonably be identified from information that is restricted to confidential internal use, as opposed to greater public disclosure? 
  • Introducing a balancing approach where personal information reflects the views and opinions of one individual regarding another : Currently, the definition of “personal information” identifies individual A’s stated views or opinions about individual B as individual B’s personal information, not just individual A's. This means individual B has, subject to some exceptions, a right to access individual A’s views or opinions about them and to know the identity of the individual who made those statements. This is an important right in many situations, especially where one person’s opinions can negatively impact another’s rights. However, in some circumstances, it might be more important to protect the confidentiality of a person’s opinion about someone else – for example, in the context of harassment allegations and investigations. The Act could include a provision outlining a more nuanced and flexible balancing approach to apply in such cases, rather than the current fixed and firm rule. 
  • Removing exemptions from within the definition itself : Paragraphs (j) to (m) of the current definition exempt certain types of information that would otherwise be considered “personal information” for the purposes of sections 7, 8, and 26 of the Act (and section 19 of the Access to Information Act). These exemptions ensure that some information can be accessed by individuals other than the individual to whom the information relates, largely for reasons of public interest. However, these exclusions have been difficult to interpret and administer in practice. As well, the public-interest rationale justifying greater use, sharing and access to such personal information might be better reflected elsewhere in the Act and in the Access to Information Act. Therefore, to simplify the definition, this list of exemptions could be removed and sections 7, 8, and 26 amended as necessary.
    
    
• Defining business contact information : Currently, the Act does not clearly indicate that business information is not personal information, which can lead to challenges in certain cases, such as where a business is operated by a sole proprietor. The Act could make it clear that information that relates primarily to a business is not “personal information.”
  
  
• Outlining factors for valid consent : The Act could include factors or standards to help ensure that individual consent provided under the Act is specific, informed, and voluntary, and able to be revoked.
  
  
• Setting out an updated framework for publicly available personal information : The Privacy Act applies to publicly available personal information, except its rules governing subsequent uses and disclosures of personal information. However, the Act does not specifically define the term “publicly available.” A modernized Act could define personal information as being “publicly available” in three instances: first, when it has been made manifestly public by the individual the information relates to; second, when it is broadly and continuously available to all members of the public and the individual has no reasonable expectation of privacy in the information; and third, when another act of Parliament or a regulation requires the information to be publicly available. As well, the current exclusion under subsection 69(2) could be eliminated so that all the Act’s rules would apply to publicly available personal information, while provisions to permit the use and disclosure of such information in specific cases could be added, along with a related exception to the right to have personal information collected directly from the individual.
  
  
• Broadening the concept of administrative purpose : Certain protections in the Privacy Act apply to personal information that is used for an “administrative purpose.”  Under the Act currently,  an administrative purpose relates to the use of personal information in a decision-making process that directly affects the individual the information is about.  However, where it is not used for an administrative purpose, some of the standard requirements relating to notification, correction and retention are relaxed. The Act could be amended to broaden the scope of administrative purpose to capture any practice involving personal information that could directly affect the individual, whether or not a decision-making process was involved. This would ensure that the full suite of protections in the Act applied to the design and development of artificial intelligence systems, for example. 

The Government is not currently considering specifying categories of personal information to which special rules would apply (such as “sensitive” personal information or information relating to minors), though some other jurisdictions do so. A flexible principles-based approach, along with some of the other proposed changes, would ensure the appropriate protection of personal information according to context. The Government also agrees with the Privacy Commissioner that the Act is not an appropriate place for defining “metadata,” since many forms of metadata will simply not be information about an identifiable individual.

Existing rights for individuals and obligations for federal public bodies could be updated and new ones introduced

The Privacy Act currently set outs a number of rights for individuals. Canadians and individuals present in Canada have the right to access their personal information. They also have rights related to notification and the correction of their information where a federal public body uses it to make a decision about them. 

The Act also imposes certain obligations on federal public bodies when they intend to use the personal information to make a decision about that person. These obligations include: (i) collecting personal information directly from the individual where possible (subject to certain exceptions); (ii) retaining personal information for at least two years from the last time the personal information was used (unless the individual consents otherwise) or until the individual has had the opportunity to exercise all his or her rights under the Act; (iii) maintaining the accuracy of such information; and (iv) including it in a personal information bank (among other information). 

These existing rights and obligations could be updated, and new rights and protections could be added to address expectations that have evolved in the digital era. Such changes could include:

• Expanded access rights : The Act could extend the right to access one’s personal information to foreign nationals who are not present in Canada, provided there are adequate procedures to verify the identity of the person requesting the information. This would eliminate the current need for foreign nationals to rely on third parties present in Canada to make requests for their personal information on their behalf under the Access to Information Act. It would also bring Canadian law in line with other jurisdictions’ practices of providing universal access to personal information and enhance interoperability with the European Union in particular. However, given that a number of federal government institutions have noted that expanding access rights could have important resource implications, it might be prudent to first pilot a limited expansion of access rights to test its impact on public resources and the system as a whole, and to provide an opportunity to develop effective procedures for identity verification.
  
  
• A right to have personal information collected directly from the individual for all intended purposes, unless an exception applies : Exceptions allowing a federal public body to collect personal information in ways other than directly from the individual would include those already set out under the Act. Other exceptions might be: 
  • where the individual provides consent to indirect collection of their personal information;
  • where the information is “publicly available” and is being collected for a purpose other than making a decision directly affecting the individual;
  • where the information is collected for the purpose of an investigation by a law enforcement or national security agency;
  • where collection from another source is authorized or required under another act of Parliament; or
  • where the information is received from another federal public body pursuant to a disclosure authorized under the Privacy Act.
    
    
• A right for the individual to be notified when his or her personal information is collected by a federal public body, unless an exception applies : The Act could also include a right for individuals to be notified of when their personal information is collected by a federal public body. The Act could set out the minimal elements that would have to be included in a notice to individuals. However, the Act could also set out reasonable limits to this right, such as:
  • where the individual already has been notified; 
  • where the federal public body is authorized to collect personal information from a source other than the individual; 
  • where the purpose of the collection relates to a law enforcement or national security matter; or 
  • where providing notice would be practically impossible or would defeat or prejudice the purpose of the collection or result in the collection of inaccurate information.
    
    
• A right to request that inaccurate personal information be corrected in a timely manner : The Act could broaden the existing obligation to ensure the accuracy of personal information to require that all personal information that could have a direct impact on an individual be kept accurate, in line with a potentially newly broadened definition of an administrative purpose. As well, the right to require correction of personal information could extend to all personal information used for an administrative purpose and it would have to be corrected within a reasonable amount of time.
  
  
• Certain rights relating to enhanced public awareness of interactions with automated decision-making systems (such as artificial intelligence tools) :  Aligning Privacy Act transparency and accountability requirements with leading federal public sector policy instruments guiding the use of automated decision-making systems could help ensure that individuals know when they are interacting with these systems, what types and sources of personal information these systems use, and general information on how they function. It would be important to retain flexibility and technological neutrality in any new framework for automated decision-making, so that any new rules could be adjusted as government experience in this area grows. As well, exceptions could be made for certain contexts, such as law enforcement and national security, where providing details on such information could harm the public interest.
  
  
• A specific principle to protect personal information with appropriate technical, administrative and physical security safeguards : The Act could include a “Safeguarding” principle, as the Personal Information Protection and Electronic Documents Act does, to ensure that Canadians benefit from the same level of data security protections regardless of which sector or Canadian jurisdiction they are dealing with. Treasury Board Secretariat (“TBS”) policies could translate high-level legal requirements into more detailed operational policies and directives suitable for federal public sector institutions.
  
  
• An obligation to contain personal information breaches and to subsequently notify the Privacy Commissioner and affected individuals in certain cases : The Act could include obligations for federal public bodies to minimize and mitigate impacts of material breaches and to notify the Privacy Commissioner and affected individuals where there is a risk of significant harm to an individual. The obligation to notify the Privacy Commissioner and affected individuals would arise as soon as practically possible after making efforts to contain and assess the breach.
  
  
• An obligation to retain information about any personal information breach : The Act could include a new obligation to retain information about all personal information breaches, whether they create a real risk of significant harm to an individual or not. This obligation would allow the Government to more effectively monitor trends and address potential risks that go beyond any single federal public body. It could also allow the Privacy Commissioner to effectively verify compliance.

The Act could include updated and new obligations that relate to the collection, use, disclosure and retention of personal information 

While many stakeholders have expressed broad support for a shift towards a principles-based Privacy Act, many have cautioned that principles need to be supported by more detailed rules that can offer specific direction about what the Act requires or allows federal public bodies to do. Rules governing the collection, use, sharing and retention of personal information could be updated and new ones added. These could include:

• Limiting the collection of personal information to where it is reasonably required for a federal public body’s functions or activities : In line with a new “Limiting collection” principle, the Act could provide that a federal public body can only collect personal information where it is reasonably required for the federal public body’s functions or activities, or where it is otherwise expressly authorized by another act of Parliament.
  
  In order to provide a more contextual approach to determining what may be “reasonably required,” the Act could include a list of key considerations that federal public bodies would have to take into account in determining whether a collection is “reasonably required,” including: (i) the specific purpose for the collection, particularly whether it was for law enforcement or national security purposes; (ii) the mechanisms or means employed to collect the information; (iii) whether there are less intrusive means of achieving the purpose at a comparable cost and with comparable benefits to the public; and (iv) the degree of intrusiveness of the collection compared to the public interests at play.
  
  This approach would place an emphasis on making collection of the information reasonable and proportionate, while addressing concerns and risks that an explicit necessity requirement could unduly hamper the ability of federal public bodies to carry out their mandates effectively. It would also allow Parliament to adapt to other specific scenarios or technologies in the future where the general “reasonably required” standard might actually impede the government’s ability to carry out its work in the public interest. This approach would also shift the orientation of the collection framework away from specific programs, activities and institutional silos to better accommodate federal public bodies and ministers who have overlapping mandates, and help make programs more efficient within federal public bodies.
  
  
• Making it clear that created or derived personal information is a “collection” : The Act could specify that personal information that a federal public body creates or derives by making inferences based on an individual’s personal information, or information about other individuals, would qualify as a collection of personal information.
  
  
• Addressing unsolicited collections of personal information : There is uncertainty about what obligations federal public bodies have when they unintentionally receive personal information they do not want or do not reasonably require. For example, sometimes individuals will provide sensitive personal information on unrelated matters through the free text feedback forms in online consultations. To address such scenarios, the Act could include specific obligations for cases where federal public bodies receive unsolicited personal information they do not require, such as the obligation to delete it or return it. The Act could also make it clear that retention obligations do not apply to unsolicited personal information.
  
  
• Clarifying the meaning of “consistent” uses and disclosures : The Act currently allows federal public bodies to use or disclose personal information where this is done for the same purpose the information was collected for or a use consistent with that purpose. This particular provision has caused some uncertainty among federal public bodies as to whether an intended use or disclosure is for the same purpose for which it was collected, or whether another purpose is “consistent” with the original purpose.
  
  The Act could continue to permit federal public bodies to use or disclose personal information for a purpose that is compatible with the original purpose for which the information was collected. However, to provide greater clarity around the concept of a “consistent use”, the Act could define this term and set out a non-exhaustive list of examples to better guide federal public bodies in applying it. Examples could include using or disclosing personal information when it is needed to assess eligibility for a service or benefit or to make it possible to provide a service or benefit, which would limit the situations where individuals would have to provide the same information to different federal public bodies for the same purpose.
  
  
• Updating the provisions that allow for the use and disclosure of personal information for other purposes : In line with a new “Limiting use, disclosure and retention” principle, the Act could continue to set out a list of authorized circumstances where personal information may be used or disclosed for a purpose other than that for which it was originally collected. The Act could distinguish between authorities for using and for disclosing personal information and modify the current section 7 to clarify when internal uses of personal information are permitted, since the way certain disclosure authorities under subsection 8(2) are framed make them ill-suited for internal uses of personal information.
  
  The list of circumstances in which personal information may be used or disclosed could continue to include when an individual has given their consent, as well as many of the currently listed authorities. Others authorities would be specified, including using or disclosing personal information in emergencies, to ensure public safety or the safety of an individual, to notify next of kin, and for data integration purposes in some circumstances, subject to certain limits and conditions.
  
  The Act could also eliminate the current “public interest” authority under paragraph 8(2)(m) and replace it with a new framework that could permit a further use or disclosure of personal information for a purpose not specifically identified in the Act where the head of a federal public body determined that doing so would be “reasonably required” in the public interest, with an associated record-keeping requirement for such decisions to allow review by the Privacy Commissioner. As with the possible updated collection threshold, the Act could identify key considerations that the head of a federal public body would have to take into account in determining whether another use or disclosure was “reasonably required.”
  
  
• Introducing a principles-based approach to retaining personal information : In line with a new “Limiting use, disclosure and retention” principle, the Act could require federal public bodies to retain personal information for no longer than reasonably needed to effectively carry out the purpose for which it was collected. This would provide federal public bodies with flexibility to adapt their retention practices to the unique circumstances of each collection. This framework could be complemented by a list of specific provisions allowing for longer retention periods, including for archival purposes, to respond to requests for access to personal information and to comply with other legal obligations.

For additional details and a more in-depth discussion on the rationale for these potential changes, please consult our annex here.

Federal public bodies could be provided with greater flexibility to use and disclose personal information that has undergone an established process for removing personal identifiers 

There is great promise for the use of de-identified personal information to allow federal public bodies to innovate in the public interest, while still protecting personal privacy. Despite some well-known anecdotes of de-identified personal information being subsequently re-identified, the use of de-identification as a privacy-enhancing technique is well supported, even by regulators. De-identification does not completely eliminate the risk of re-identification, but when done appropriately, it significantly reduces that risk. As such, a framework focussed on reducing risks by removing personal identifiers and protecting later uses of de-identified information would allow federal public bodies more flexibility to use data for public benefit, while minimizing risks to personal information. 

To create a greater incentive for federal public bodies to use and share de-identified personal information, instead of information that identifies individuals, the Act could:

• Define “de-identified” personal information ;
  
  
• Clarify that the process of de-identifying personal information is not a separate “use” of the information ;
  
  
• Allow federal public bodies to use and disclose de-identified personal information in a greater variety of circumstances : The Act could allow federal public bodies to use or disclose de-identified personal information without consent where the information is used or shared in the public interest, where the information has been de-identified according to a process set out in regulations or Government policy, and where appropriate technical, administrative and/or contractual protections, which could vary depending on the context, have been applied to the de-identified information;
  
  
• Create a specific offence for re-identifying personal information that has been de-identified, or for wilful attempts to do so.