Landscape of privacy legislation in Canada
Legislation has been created by both BC and the Canadian federal government to protect personal information within their respective jurisdictions. Depending on the research, one or more statutes may need to be considered. For example, a Vancouver Island University researcher doing research involving a counseling agency may have to consider both BC’s public and private sector laws. The following are the statutes for their relevant jurisdictions:
- Public sector (e.g. government, government agencies, BC universities & colleges):
- Private sector (e.g. business, not-for-profits):
FOIPPA & Vancouver Island University
The BC Freedom of Information and Protection of Privacy Act regulates how personal information is collected, used or disclosed by public bodies, which includes Vancouver Island University and its researchers. The following definitions are important in understanding what information is protected and what is not.
- Personal information - “means recorded information about an identifiable individual other than contact information” (Schedule 1)
- Contact information - “means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual” (Schedule 1)
- Collection, retention, use & disclosure - FOIPPA sets out requirements regarding the collection, retention, use and disclosure of personal information by public bodies. The following provides some brief information. (Refer to FOIPPA, Part 3 for more information).
- Collection:
- Collecting personal information is only permitted where it is authorized under an Act, for law enforcement, or where it relates directly to and necessary for operating program or activity of public body (s. 26).
- Personal information must be collected directly from the individual (with some exceptions) and the person collecting it must inform the individual of the purpose & authority for collecting the personal information (s. 27).
- Retention - Personal information must be kept for at least one year if it was used to make a decision that directly affects the individual (s. 31).
- Use - Personal information may only be used for the following purposes (s. 32):
- for which it was collected or a consistent purpose,
- with informed consented, in writing (& Reg. s. 6), or
- a purpose for which the information may be disclosed to that public body under ss. 33-36, which includes “research purposes”. Important FOIPPA provisions in section 35 must be considered when disclosure is for research purposes (see “Disclosure for research” below for more information).
- Disclosure - circumstances where disclosure of personal information is permitted are set out in sections 33-36.
- s. 33.1 - FOIPPA was amended to protect personal information from being disclosed outside of Canada. This section list the circumstances where personal information may be disclosed inside or outside Canada, such as when a person requests access to their own information, where there is written consent, as permitted under an Act, or for health & safety reasons (see FOIPPA for details).
- s. 33.2 - This section list the circumstances where personal information may be disclosed inside Canada, such as for law enforcement, for a purpose consistent with the purpose for which it was originally collected, or in accordance with s. 35 as set out next.
- Disclosure for research or statistical purposes (without the individual’s consent, for example) is only permitted where all of the following conditions are met (s. 35):
- the research cannot be accomplished unless in individually identifiable form (or the researcher has consent of the Commissioner);
- the personal information will not be used to contact person to participate in research;
- any record linkage is not harmful to an individual and the benefits are clearly in the public interest;
- the head of the institution has approved conditions regarding security/confidentiality, removal of identifiers as soon as possible, prohibition of subsequent use; and
- the researcher has signed agreement to comply with agreement and any policies of institution re confidentiality.
PIPA (or PIPEDA) & private organizations
The BC Personal Information Protection Act regulates how personal information is collected, used or disclosed by private organizations, such as clinics. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) regulates private organizations under federal jurisdiction and personal information that is communicated between provinces. Researchers will need to consider private sector legislation when they are involved with a private organization in a way that deals with personal information. For example, if the researcher is collecting personal information from a counseling centre, s/he must ensure that the personal information disclosure by the organization complies with PIPA. The following provides
- Personal information - “means information about an identifiable individual and includes employee personal information but does not include (a) contact information, or (b) work product information” (s. 1)
- Contact information - “means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address, business email or business fax number of the individual” (s. 1)
- Consent - The rules regarding collection, use and disclosure of personal information under PIPA are much more restrictive than under FOIPPA. It is a consent-based approach. Consent may be express or implied.
- Resources: