Collection and Processing
Canadian Privacy Statutes set out the overriding obligation that organizations only collect, use and disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
Subject to certain limited exceptions prescribed in the Acts, consent is required for the collection, use and disclosure of personal information. Depending on the sensitivity of the personal information, consent may need to be presented as opt-in or opt-out. Under the Quebec Privacy Act, consent must be “clear, free and informed and be given for specific purposes”, and implicit or opt-out consent is generally not considered valid. Organizations must limit the collection of personal information to that which is necessary to fulfill the identified purposes and only retain such personal information for as long as necessary to fulfill the purposes for which it was collected.
Each of the Canadian Privacy Statutes have both notice and openness/transparency requirements. With respect to notice, organizations are generally required to identify the purposes for which personal information is collected at or before the time the information is collected. With respect to openness/transparency, generally Canadian Privacy Statutes require organizations make information about their personal information practices readily available.
All Canadian Privacy Statutes contain obligations on organizations to ensure personal information in their records is accurate and complete, particularly where the information is used to make a decision about the individual to whom the information relates or if the information is likely to be disclosed to another organization.
Each of the Canadian Privacy Statutes also provides individuals with the following:
- A right of access to personal information held by an organization, subject to limited exceptions;
- A right to correct inaccuracies in/update their personal information records; and
- A right to withdraw consent to the use or communication of personal information.
In addition to these rights, the Quebec Privacy Act, as modified by Bill 64, will create a right for individuals to have their personal information deindexed (coming into force September 2023) and to data portability (coming into force September 2024).
Finally, organizations must have policies and practices in place that give effect to the requirements of the legislation and organizations must ensure that their employees are made aware of and trained with respect to such policies.