A A A

Third Session, Thirty-Ninth Legislature

This version is based on the printed bill that was distributed in the Legislature after First Reading.   It is not the official version.   If accuracy is critical, you can obtain a copy of the printed bill from Statutory Publications or view the online bilingual version (PDF).

Bill 219

THE PERSONAL INFORMATION PROTECTION AND IDENTITY THEFT PREVENTION ACT


Table of Contents Explanatory Note

(Assented to                                         )

HER MAJESTY, by and with the advice and consent of the Legislative Assembly of Manitoba, enacts as follows:

PART 1

INTRODUCTORY PROVISIONS

Definitions

1           The following definitions apply in this Act.

"business contact information" means an individual's name, position name or title, business telephone number, business address, business e-mail, business fax number and other similar business information. (« coordonnées professionnelles »)

"domestic" means related to home or family. (« domestique »)

"employee" means an individual employed by an organization and includes an individual who performs a service for or in relation to or in connection with an organization

(a) as an apprentice, volunteer, participant or student; or

(b) under a contract or an agency relationship with the organization. (« employé »)

"investigation" means an investigation related to

(a) a breach of an agreement;

(b) a contravention of an enactment of Manitoba or Canada or of another province of Canada; or

(c) circumstances or conduct that may result in a remedy or relief being available at law;

if the breach, contravention, circumstances or conduct in question has or may have occurred or is likely to occur and it is reasonable to conduct an investigation. (« enquête »)

"legal proceeding" means a civil, criminal or administrative proceeding that is related to

(a) a breach of an agreement;

(b) a contravention of an enactment of Manitoba or Canada or of another province of Canada; or

(c) a remedy available at law. (« instance »)

"minister" means the minister appointed by the Lieutenant Governor in Council to administer this Act. (« ministre »)

"Ombudsman" means the Ombudsman appointed under The Ombudsman Act. (« ombudsman »)

"organization" includes

(a) a corporation;

(b) an unincorporated association;

(c) a union as defined in The Labour Relations Act;

(d) a partnership as defined in The Partnership Act; and

(e) an individual acting in a commercial capacity;

but does not include an individual acting in a personal or domestic capacity. (« organisation »)

"personal employee information" means, in respect of an individual who is an employee or a potential employee, personal information reasonably required by an organization that is collected, used or disclosed solely for the purposes of establishing, managing or terminating

(a) an employment relationship; or

(b) a volunteer work relationship;

between the organization and the individual, but does not include personal information about the individual that is unrelated to that relationship. (« renseignements personnels liés à l'emploi »)

"personal information" means information about an identifiable individual. (« renseignements personnels »)

"personal reporting agency" means a personal reporting agency as defined in The Personal Investigations Act. (« bureau d'enquête privé »)

"public body" means a public body as defined in The Freedom of Information and Protection of Privacy Act. (« organisme public »)

"record" means a record of information in any form or in any medium, whether in written, printed, photographic, electronic or any other form, but does not include a computer program or other mechanism that can produce a record. (« document »)

"volunteer work relationship" means a relationship between an organization and an individual under which a service is provided for or in relation to or is undertaken in connection with the organization by an individual who is acting as a volunteer or is otherwise unpaid with respect to that service and includes any similar relationship involving an organization and an individual where, in respect of that relationship, the individual is a participant or a student. (« rapports mandant-bénévole »)

Standard as to what is reasonable

2           Where in this Act anything or any matter

(a) is described, characterized or referred to as reasonable or unreasonable; or

(b) is required or directed to be carried out or otherwise dealt with reasonably or in a reasonable manner;

the standard to be applied under this Act in determining whether the thing or matter is reasonable or unreasonable, or has been carried out or otherwise dealt with reasonably or in a reasonable manner, is what a reasonable person would consider appropriate in the circumstances.

PART 2

PURPOSE AND APPLICATION

Purpose

3           The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable.

Application

4(1)        Except as provided in this Act and subject to the regulations, this Act applies to every organization and in respect of all personal information.

Exemption re public body

4(2)        Subject to the regulations, this Act does not apply to a public body or any personal information that is in the custody of or under the control of a public body.

Other exemptions

4(3)        This Act does not apply to the following:

(a) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for personal or domestic purposes and for no other purpose;

(b) the collection, use or disclosure of personal information if the collection, use or disclosure, as the case may be, is for artistic or literary purposes and for no other purpose;

(c) the collection, use or disclosure of personal information, other than personal employee information, that is collected, used or disclosed pursuant to sections 15, 18 or 21, if the collection, use or disclosure, as the case may be, is for journalistic purposes and for no other purpose;

(d) the collection, use or disclosure of business contact information if the collection, use or disclosure, as the case may be, is for the purposes of contacting an individual in that individual's capacity as an employee or an official of an organization and for no other purpose;

(e) personal information that is in the custody of an organization if The Freedom of Information and Protection of Privacy Act applies to that information;

(f) personal health information as defined in The Personal Health Information Act where that information is collected, used or disclosed by an organization for health care purposes, including health research and management of the health care system, but for the purposes of this clause health information does not include personal employee information;

(g) the collection, use or disclosure of personal information by an officer of the Legislature, if the collection, use or disclosure, as the case may be, relates to the exercise of that officer's functions under an enactment;

(h) personal information about an individual if the individual has been dead for at least 20 years;

(i) personal information about an individual that is contained in a record that has been in existence for at least 100 years;

(j) personal information contained in any record transferred to an archival institution where access to the record was unrestricted or governed by an agreement between the archival institution and the donor of the record before the coming into force of this Act;

(k) personal information contained in a court file, a record of a judge of The Court of Appeal, the Court of Queen's Bench or The Provincial Court, a record of a master of the Court of Queen's Bench, a record of a sitting justice of the peace or a presiding justice of the peace under The Provincial Court Act, a judicial administration record or a record relating to support services provided to the judges of any of the courts referred to in this clause;

(l) personal information contained in a record of any type that has been created by or for

(i) a Member of the Legislative Assembly, or

(ii) an elected or appointed member of a public body;

(m) the collection, use or disclosure of personal information by a constituency association or a registered political party as defined in The Elections Finances Act;

(n) the collection, use or disclosure of personal information by an individual who is a candidate for public office where the information is being collected, used or disclosed, as the case may be, for the purposes of campaigning for that office and for no other purpose;

(o) personal information contained in a personal note, communication or draft decision created by or for a person who is acting in a judicial, quasi-judicial or adjudicative capacity.

Previously acquired information

4(4)        If an organization has under its control personal information about an individual that was acquired prior to the date upon which this Act comes into force, that information, for the purposes of this Act,

(a) is deemed to have been collected pursuant to consent given by that individual;

(b) may be used and disclosed by the organization for the identified purposes for which the information was initially collected; and

(c) after the coming into force of this Act, is to be treated in the same manner as information collected under this Act.

Legal matters and obligations of lawyers

4(5)        This Act is not to be applied so as to

(a) affect any legal privilege;

(b) limit the information available by law to a party to a legal proceeding; or

(c) limit or affect the collection, use or disclosure of information that is the subject of trust conditions or undertakings by which a lawyer is subject.

Conflict

4(6)        If a provision of this Act is inconsistent or in conflict with a provision of another enactment, the provision of this Act prevails unless

(a) the other enactment is The Freedom of Information and Protection of Privacy Act or The Personal Health Information Act; or

(b) another Act or a regulation under this Act expressly provides that the other Act or a regulation, or a provision of it, prevails notwithstanding this Act.

Waivers and releases void

4(7)        This Act applies notwithstanding any agreement to the contrary, and any waiver or release given of the rights, benefits or protections provided under this Act is against public policy and void.

PART 3

PROTECTION OF PERSONAL INFORMATION

DIVISION 1

COMPLIANCE AND POLICIES

Compliance with Act

5(1)        An organization is responsible for personal information that is in its custody or under its control.

Organization continues to be responsible

5(2)        For the purposes of this Act, where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person's compliance with this Act.

Designate individual responsible for compliance

5(3)        An organization must designate one or more individuals to be responsible for ensuring that the organization complies with this Act.

Delegation by designated individual

5(4)        An individual designated under subsection (3) may delegate to one or more individuals the duties conferred by that designation.

Organization must act reasonably

5(5)        In meeting its responsibilities under this Act, an organization must act in a reasonable manner.

Organization not relieved by designating individual

5(6)        Nothing in subsection (2) is to be construed so as to relieve any person from that person's responsibilities or obligations under this Act.

Policies and practices

6           An organization must

(a) develop and follow policies and practices that are reasonable for the organization to meet its obligations under this Act; and

(b) make information about the policies and practices referred to in clause (a) available on request.

DIVISION 2

CONSENT

Consent required

7(1)        Except where this Act provides otherwise, an organization shall not, with respect to personal information about an individual,

(a) collect that information unless the individual consents to the collection of that information;

(b) collect that information from a source other than the individual unless the individual consents to the collection of that information from the other source;

(c) use that information unless the individual consents to the use of that information; or

(d) disclose that information unless the individual consents to the disclosure of that information.

Organization cannot require greater consent

7(2)        An organization shall not, as a condition of supplying a product or service, require an individual to consent to the collection, use or disclosure of personal information about an individual beyond what is necessary to provide the product or service.

Individual may limit consent

7(3)        An individual may give consent subject to any reasonable terms, conditions or qualifications established, set, approved by or otherwise acceptable to the individual.

Form of consent

8(1)        An individual may give his or her consent in writing or orally to the collection, use or disclosure of personal information about the individual.

Giving information may be deemed consent

8(2)        An individual is deemed to consent to the collection, use or disclosure of personal information about the individual by an organization for a particular purpose if

(a) the individual, without actually giving the consent referred to in subsection (1), voluntarily provides the information to the organization for that purpose; and

(b) it is reasonable that a person would voluntarily provide that information.

Notice in place of consent

8(3)        Notwithstanding subsection 7(1), an organization may collect, use or disclose personal information about an individual for particular purposes if

(a) the organization

(i) provides the individual with a notice, in a form that the individual can reasonably be expected to understand, that the organization intends to collect, use or disclose personal information about the individual for those purposes, and

(ii) with respect to that notice, gives the individual a reasonable opportunity to decline or object to having his or her personal information collected, used or disclosed for those purposes;

(b) the individual does not, within a reasonable time, give the organization a response to that notice declining or objecting to the proposed collection, use or disclosure; and

(c) having regard to the level of the sensitivity, if any, of the information in the circumstances, it is reasonable to collect, use or disclose the information as permitted under clauses (a) and (b).

Information to be used only for purpose it was collected

8(4)        Subsections (2) and (3) are not to be construed so as to authorize an organization to collect, use or disclose personal information for any purpose other than the particular purposes for which the information was collected.

Manner of giving consent

8(5)        Consent in writing may be given or otherwise transmitted by electronic means to an organization if the organization receiving that transmittal produces or is able at any time to produce a printed copy, image or reproduction of the consent in paper form.

Withdrawal or variation of consent

9(1)        Subject to subsection (5), on giving reasonable notice to an organization, an individual may at any time withdraw or vary consent to the collection, use or disclosure by the organization of personal information about the individual.

Information re withdrawing or varying consent

9(2)        On receipt of notice referred to in subsection (1), an organization must, subject to subsection (3), inform the individual of the likely consequences to the individual of withdrawing or varying the consent.

If consequences of withdrawal reasonably obvious

9(3)        An organization is not required to inform an individual under subsection (2) if the likely consequences of withdrawing or varying the consent would be reasonably obvious to the individual.

Withdrawal or variation must be comply with

9(4)        Except where the collection, use or disclosure of personal information without consent of the individual is permitted under this Act, if an individual withdraws or varies a consent to the collection, use or disclosure of personal information about the individual by an organization, the organization must,

(a) in the case of the withdrawal of a consent, stop collecting, using or disclosing the information; and

(b) in the case of a variation of a consent, abide by the consent as varied.

Effect where legal obligation between parties

9(5)        If withdrawing or varying consent would frustrate the performance of a legal obligation, any withdrawal or variation of the consent does not, unless otherwise agreed to by the parties who are subject to the legal obligation, operate to the extent that the withdrawal or variation would frustrate the performance of the legal obligation owed between those parties.

Manner of giving notice of withdrawal or variation

9(6)        A withdrawal or variation of consent by an individual may be given to an organization in the same manner as consent may be given.

Terms of withdrawal to be acceptable to individual

9(7)        An individual may, subject to this section, withdraw or vary consent subject to any reasonable terms, conditions or qualifications established, set, approved by or otherwise acceptable to the individual.

No obligations imposed by withdrawal or variation

9(8)        Nothing in this section is to be construed so as to empower

(a) an individual, as part of the withdrawal or variation of a consent, to impose an obligation or a liability on an organization, unless the organization agrees otherwise; or

(b) an organization, as part of the withdrawal or variation of a consent, to impose an obligation or liability on an individual, unless the individual agrees otherwise.

Consent obtained by deception, etc.

10          If an organization obtains or attempts to obtain consent to the collection, use or disclosure of personal information by

(a) providing false or misleading information respecting the collection, use or disclosure of the information; or

(b) using deceptive or misleading practices;

any consent provided or obtained under those circumstances is negated.

DIVISION 3

COLLECTION OF PERSONAL INFORMATION

Limitations on collection

11(1)       An organization may collect personal information only for purposes that are reasonable.

Purpose determines if what collected is reasonable

11(2)        Where an organization collects personal information, it may do so only to the extent that is reasonable for meeting the purposes for which the information is collected.

Limitation on sources for collection

12          An organization may without the consent of the individual collect personal information about an individual from a source other than that individual if the information that is to be collected is information that may be collected without the consent of the individual under section 14, 15 or 22.

Notification required for collection

13(1)       Before or at the time of collecting personal information about an individual from the individual, an organization must notify that individual in writing or orally

(a) as to the purposes for which the information is collected; and

(b) of the name of a person who is able to answer on behalf of the organization questions about the collection.

If organization collects from another — with consent

13(2)       Before or at the time personal information about an individual is collected from another organization with the consent of the individual, the organization collecting the information must notify the organization that is disclosing the information that the individual has consented to the collection of the information.

If organization collects from another — without consent

13(3)       Before or at the time personal information about an individual is collected from another organization without the consent of the individual, the organization collecting the personal information must provide the organization that is disclosing the personal information with sufficient information regarding the purpose for which the personal information is being collected in order to allow the organization that is disclosing the personal information to make a determination as to whether such disclosure of the personal information would be in accordance with this Act.

Exception

13(4)       Subsection (1) does not apply to the collection of personal information that is carried out pursuant to subsection 8(2).

Collection without consent

14          An organization may collect personal information about an individual without the consent of that individual only if one or more of the following are applicable:

(a) a reasonable person would consider that the collection of the information is clearly in the interests of the individual, and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;

(b) the collection of the information is pursuant to an enactment of Manitoba or Canada that authorizes or requires the collection;

(c) the collection of the information is from a public body and that public body is authorized or required by an enactment of Manitoba or Canada to disclose the information to the organization;

(d) the collection of the information is reasonable for the purposes of an investigation or a legal proceeding;

(e) the information is publicly available and is specified by the regulations;

(f) the collection of the information is necessary to determine the individual's suitability to receive an honour, award or similar recognition or benefit, including an honorary degree, scholarship or bursary;

(g) the information is collected by a personal reporting agency to create a personal report where the individual consented to the disclosure to the personal reporting agency by the organization that originally collected the information;

(h) the information may be disclosed to the organization without the consent of the individual under section 20;

(i) the collection of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization;

(j) the organization collecting the information is an archival institution and the collection of the information is reasonable for archival purposes or research;

(k) the collection of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about.

Collection of personal employee information

15(1)       Notwithstanding anything in this Act other than subsection (2), an organization may collect personal employee information about an individual without the consent of the individual if

(a) the individual is an employee of the organization; or

(b) the collection of the information is for the purpose of recruiting a potential employee.

Limited circumstances where consent not required

15(2)       An organization shall not collect personal information about an individual under subsection (1) without the consent of the individual unless

(a) the collection is reasonable for the purposes for which the information is being collected;

(b) the information consists only of information that is related to the employment or volunteer work relationship of the individual; and

(c) in the case of an individual who is an employee of the organization, the organization has, before collecting the information, provided the individual with reasonable notification that the information is going to be collected and of the purposes for which the information is going to be collected.

Disclosure of employee information without consent

15(3)       An organization may disclose personal employee information about an individual without the consent of the individual where that information is being disclosed to an organization that is collecting that information under subsection (1).

Exception

15(4)       Nothing in this section is to be construed so as to restrict or otherwise affect an organization's ability to collect personal information under section 14.

DIVISION 4

USE OF PERSONAL INFORMATION

Limitations on use

16(1)       An organization may use personal information only for purposes that are reasonable.

Purpose determines if use reasonable

16(2)       Where an organization uses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which the information is used.

Use without consent

17          An organization may use personal information about an individual without the consent of the individual but only if one or more of the following are applicable:

(a) a reasonable person would consider that the use of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;

(b) the use of the information is pursuant to an enactment of Manitoba or Canada that authorizes or requires the use;

(c) the information was collected by the organization from a public body and that public body is authorized or required by an enactment of Manitoba or Canada to disclose the information to the organization;

(d) the use of the information is reasonable for the purposes of an investigation or a legal proceeding;

(e) the information is publicly available and is specified by the regulations;

(f) the use of the information is necessary to determine the individual's suitability to receive an honour, award or similar recognition or benefit, including an honorary degree, scholarship or bursary;

(g) a personal reporting agency was permitted to collect the information under clause 14(g) and the information is not used by the personal reporting agency for any purpose other than to create a personal report;

(h) the information may be disclosed by an organization without the consent of the individual under section 20;

(i) the use of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;

(j) the use of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization;

(k) the organization using the information is an archival institution and the use of the information is reasonable for archival purposes or research;

(l) the use of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about.

Use of personal employee information

18(1)       Notwithstanding anything in this Act other than subsection (2), an organization may use personal employee information about an individual without the consent of the individual if

(a) the individual is an employee of the organization; or

(b) the use of the information is for the purpose of recruiting a potential employee.

Purpose determines if use reasonable

18(2)       An organization shall not use personal information about an individual under subsection (1) without the consent of the individual unless

(a) the use is reasonable for the purposes for which the information is being used;

(b) the information consists only of information that is related to the employment or volunteer work relationship of the individual; and

(c) in the case of an individual who is an employee of the organization, the organization has, before using the information, provided the individual with reasonable notification that the information is going to be used and of the purposes for which the information is going to be used.

Exception

18(3)       Nothing in this section is to be construed so as to restrict or otherwise affect an organization's ability to use personal information under section 17.

DIVISION 5

DISCLOSURE OF PERSONAL INFORMATION

Limitations on disclosure

19(1)       An organization may disclose personal information only for purposes that are reasonable.

Purposes determine if disclosure reasonable

19(2)       Where an organization discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which the information is disclosed.

When disclosure without consent permitted

20          An organization may disclose personal information about an individual without the consent of the individual but only if one or more of the following are applicable:

(a) a reasonable person would consider that the disclosure of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;

(b) the disclosure of the information is pursuant to an enactment of Manitoba or Canada that authorizes or requires the disclosure;

(c) the disclosure of the information is to a public body and that public body is authorized or required by an enactment of Manitoba or Canada to collect the information from the organization;

(d) the disclosure of the information is in accordance with a provision of a treaty that

(i) authorizes or requires its disclosure, and

(ii) is made under an enactment of Manitoba or Canada;

(e) the disclosure of the information is for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body having jurisdiction to compel the production of information or with a rule of court that relates to the production of information;

(f) the disclosure of the information is to a public body or a law enforcement agency in Canada to assist in an investigation

(i) undertaken with a view to a law enforcement proceeding, or

(ii) from which a law enforcement proceeding is likely to result;

(g) the disclosure of the information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;

(h) the disclosure of the information is for the purposes of contacting the next of kin or a friend of an injured, ill or deceased individual;

(i) the disclosure of the information is necessary in order to collect a debt owed to the organization or for the organization to repay to the individual money owed by the organization;

(j) the information is publicly available and is specified by the regulations;

(k) the disclosure of the information is to the surviving spouse, common-law partner or to a relative of a deceased individual if, in the opinion of the organization, the disclosure is reasonable;

(l) the disclosure of the information is necessary to determine the individual's suitability to receive an honour, award or similar recognition or benefit, including an honorary degree, scholarship or bursary;

(m) the disclosure of the information is reasonable for the purposes of an investigation or a legal proceeding;

(n) the disclosure of the information is for the purposes of protecting against, or for the prevention, detection or suppression of, fraud, market manipulation or unfair business practices and the organization that is disclosing the information or to which the information is being disclosed is permitted or otherwise empowered or recognized under an enactment of Manitoba or Canada or of another province of Canada to carry out any of those purposes;

(o) the organization is a personal reporting agency and is permitted to disclose the information under The Personal Investigations Act;

(p) the organization disclosing the information is an archival institution and the disclosure of the information is reasonable for archival purposes or research;

(q) the disclosure of the information meets the requirements respecting archival purposes or research set out in the regulations and it is not reasonable to obtain the consent of the individual whom the information is about.

Disclosure of personal employee information

21(1)       Notwithstanding anything in this Act other than subsection (2), an organization may disclose personal employee information about an individual without the consent of the individual if

(a) the individual is or was an employee of the organization; or

(b) the disclosure of the information is for the purpose of recruiting a potential employee.

When disclosure without consent permitted

21(2)       An organization shall not disclose personal information about an individual under subsection (1) without the consent of the individual unless

(a) the disclosure is reasonable for the purposes for which the information is being disclosed;

(b) the information consists only of information that is related to the employment or volunteer work relationship of the individual; and

(c) in the case of an individual who is an employee of the organization, the organization has, before disclosing the information, provided the individual with reasonable notification that the information is going to be disclosed and of the purposes for which the information is going to be disclosed.

Exception

21(3)       Nothing in this section is to be construed so as to restrict or otherwise affect an organization's ability to disclose personal information under section 20.

DIVISION 6

BUSINESS TRANSACTIONS

Definitions

22(1)       The following definitions apply in this section.

"business transaction" means a transaction consisting of the purchase, sale, lease, merger or amalgamation or any other type of acquisition or disposal of, or the taking of a security interest in respect of, an organization or a portion of an organization or any business or activity or business asset of an organization and includes a prospective transaction of such a nature. (« opération commerciale »)

"party" includes a prospective party. (« partie »)

Business transactions — collection, use and disclosure

22(2)       Notwithstanding anything in this Act, other than this section, an organization may for the purposes of a business transaction between itself and one or more other organizations collect, use and disclose personal information in accordance with this section.

Disclosure respecting acquisition of a business, etc

22(3)       Organizations that are parties to a business transaction may,

(a) during the period leading up to and including the completion, if any, of the business transaction, collect, use and disclose personal information about individuals without the consent of the individuals if

(i) the parties have entered into a written agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, and

(ii) the information is necessary

(A) for the parties to determine whether to proceed with the business transaction, and

(B) if they proceed with the business transaction, for the parties to carry out and complete the business transaction; and

(b) where the business transaction is completed, collect, use and disclose personal information about individuals without the consent of the individuals if

(i) the parties have entered into an agreement under which the parties undertake to use and disclose the information only for those purposes for which the information was initially collected from or in respect of the individuals, and

(ii) the information relates solely to the carrying on of the business or activity or the carrying out of the objects for which the business transaction took place.

Information must be destroyed or returned

22(4)       If a business transaction does not proceed or is not completed, the party to whom the personal information was disclosed must, if the information is still in the custody of or under the control of that party, either destroy the information or return it to the party that disclosed the information.

Consent may be obtained for other uses etc.

22(5)       Nothing in this section is to be construed so as to restrict a party to a business transaction from obtaining consent of an individual to the collection, use or disclosure of personal information about the individual for purposes that are beyond the purposes for which the party obtained the information under this section.

Exception

22(6)       This section does not apply to a business transaction where the primary purpose, objective or result of the transaction is the purchase, sale, lease, transfer, disposal or disclosure of personal information.

PART 4

ACCESS TO AND CORRECTION AND

CARE OF PERSONAL INFORMATION

DIVISION 1

ACCESS AND CORRECTION

Definitions

23          The following definitions apply in this Division.

"applicant" means an individual who makes a written request in accordance with section 26. (« auteur de la demande »)

"organization" does not include any person acting on behalf of an organization. (« organisation »)

Access

24(1)       Subject to subsections (2) to (4), on the request of an individual for access to personal information about the individual and taking into consideration what is reasonable, an organization must provide the individual with access to the following:

(a) the individual's personal information, where that information is contained in a record that is in the custody or under the control of the organization;

(b) the purposes for which the personal information referred to in clause (a) has been and is being used by the organization;

(c) the names of the persons to whom and circumstances in which the personal information referred to in clause (a) has been and is being disclosed.

Where access may be refused

24(2)       An organization may refuse to provide access to personal information under subsection (1) if

(a) the information is protected by any legal privilege;

(b) the disclosure of the information would reveal confidential information that is of a commercial nature and it is not unreasonable to withhold that information;

(c) the information was collected for an investigation or legal proceeding;

(d) the disclosure of the information might result in that type of information no longer being provided to the organization when it is reasonable that that type of information would be provided;

(e) the information was collected by a mediator or arbitrator or was created in the course of a mediation or arbitration for which the mediator or arbitrator was appointed to act

(i) under an agreement,

(ii) under an enactment, or

(iii) by a court; or

(f) the information relates to or may be used in the exercise of prosecutorial discretion.

Where access must be refused

24(3)       An organization shall not provide access to personal information under subsection (1) if

(a) the disclosure of the information could reasonably be expected to threaten the life or security of another individual;

(b) the information would reveal personal information about another individual; or

(c) the information would reveal the identity of an individual who has in confidence provided an opinion about another individual and the individual providing the opinion does not consent to disclosure of his or her identity.

Inaccessible information to be severed

24(4)       If, in respect of a record, an organization is reasonably able to sever the information referred to in clause (2)(b) or subsection (3) from a copy of the record that contains personal information about the individual who requested it, the organization must provide the individual with access to the record after the information referred to in clause (2)(b) or subsection (3) has been severed.

Right to request correction

25(1)       An individual may request that an organization correct an error or omission in the personal information about the individual that is under the control of the organization.

Correction must be made

25(2)       If there is an error or omission in personal information in respect of which a request for a correction is received by an organization under subsection (1), the organization must, subject to subsection (3),

(a) correct the information as soon as reasonably possible; and

(b) where the organization has disclosed the incorrect information to other organizations, send a notification containing the corrected information to each organization to which the incorrect information has been disclosed, if it is reasonable to do so.

Annotation of requested correction that is not made

25(3)       If an organization is satisfied on reasonable grounds that a requested correction under subsection (2) should not be made, the organization must annotate the personal information under its control with the correction that was requested but not made.

Information corrected per notification

25(4)       On receiving a notification under clause (2)(b) containing corrected personal information, an organization must correct the personal information in its custody or under its control.

Exception

25(5)       Notwithstanding anything in this section, an organization shall not correct or otherwise alter an opinion, including a professional or expert opinion.

How to make a request

26(1)       For an individual to obtain access to personal information about that individual or make a request for a correction to personal information about that individual, the individual must make a written request to the organization setting out sufficient detail to enable the organization, with a reasonable effort, to identify the information in respect of which the written request is made.

Applicant may request copy of information

26(2)       The applicant may ask for a copy of the record, or ask to examine the record, that contains personal information about the applicant.

Duty to assist

27(1)       An organization must

(a) make every reasonable effort

(i) to assist applicants, and

(ii) to respond to each applicant as accurately and completely as reasonably possible; and

(b) at the request of an applicant provide, if it is reasonable to do so, an explanation of any term, code or abbreviation used or referred to in any record provided to the applicant.

Creating record to be given to applicant

27(2)       An organization must, with respect to an applicant's personal information, create a record for the applicant if

(a) the record can be created from a record that is in electronic form and that is under the control of the organization, using its normal computer hardware and software and technical expertise; and

(b) creating the record would not unreasonably interfere with the operations of the organization.

Time limit for responding

28(1)       Subject to this section, an organization must respond to an applicant not later than

(a) 45 days from the day that the organization receives the applicant's written request referred to in section 26; or

(b) the end of an extended time period if the time period is extended under section 31.

Extension

28(2)       An organization is not required to comply with clause (1)(a) if the time period is extended under section 31.

Time period for deciding extension not included

28(3)       If an organization asks the Ombudsman under section 31 for authorization to extend the time limit for responding, the 45-day period referred to in subsection (1) does not include the period from the start of the day in which the request is made under section 31 to the end of the day in which a decision is made by the Ombudsman with respect to giving the authorization.

Contents of response

29          In a response to a request made under section 24, the organization must inform the applicant

(a) as to whether or not the applicant is entitled to or will be given access to all or part of his or her personal information;

(b) if the applicant is entitled to or will be given access, when and where access will be given; and

(c) if access to all or part of the applicant's personal information is refused,

(i) of the reasons for the refusal and the provision of this Act on which the refusal is based, and

(ii) of the name of the person who can answer, on behalf of the organization, questions about the refusal.

How access will be given

30          Where an applicant is informed under section 29 that access will be given, the organization must,

(a) if an applicant has asked for a copy of the applicant's personal information and the information can reasonably be reproduced,

(i) provide with the response a copy of the information or the record or part of the record relating to the information, or

(ii) give the applicant reasons for the delay in providing the information or record; or

(b) if an applicant has asked to examine the record relating to the applicant's personal information or if the record cannot reasonably be reproduced,

(i) permit the applicant to examine the record or part of the record, or

(ii) give the applicant access in accordance with the regulations.

Extending the time limit for responding

31(1)       An organization may, with respect to a request made under section 24, extend the time period for responding to the request by up to an additional 30 days or, with the Ombudsman's permission, to a longer period, if

(a) the applicant does not give enough detail to enable the organization to identify the personal information or the record relating to the information;

(b) a large amount of personal information is requested or must be searched;

(c) meeting the time limit would unreasonably interfere with the operations of the organization; or

(d) more time is needed to consult with another organization or with a public body before the organization is able to determine whether or not to give the applicant access to the requested personal information or record relating to the information.

Applicant to be informed of extension

31(2)       If the time period is extended under subsection (1), the organization must inform the applicant of

(a) the reason for the extension; and

(b) the time when a response from the organization can be expected.

Fees

32(1)       An organization may charge an applicant who makes a request under section 24 a reasonable fee for access to the applicant's personal information or a record relating to the information.

No fee for requested correction

32(2)       Subject to the regulations, a fee is not payable by an applicant in respect of a request made under section 25.

Fee to be estimated and deposit may be required

32(3)       If an organization is intending to charge an applicant a fee for a service, the organization

(a) must give the applicant a written estimate of the total fee before providing the service; and

(b) may require the applicant to pay a deposit in the manner and amount determined by the organization.

DIVISION 2

CARE OF PERSONAL INFORMATION

Accuracy of information

33          An organization must make a reasonable effort to ensure that any personal information collected, used or disclosed by or on behalf of an organization is accurate and complete.

Protection of information

34(1)       An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against risks such as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction.

Notice if control of information lost

34(2)       An organization must, as soon as reasonably practicable and in the prescribed manner, notify an individual if personal information about the individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner.

Exception re law enforcement agency investigation

34(3)       The requirement to notify an individual under subsection (2) does not apply where

(a) the organization is instructed to refrain from doing so by a law enforcement agency that is investigating the theft, loss or unauthorized accessing of the personal information; or

(b) the organization is satisfied that it is not reasonably possible for the personal information to be used unlawfully.

Right of action

34(4)       An individual may commence an action in a court of competent jurisdiction against an organization for damages arising from its failure to

(a) protect personal information that is in its custody or under its control; or

(b) provide an individual notice under subsection (2), if it was not reasonable for the organization to have been satisfied that the personal information that was stolen, lost or accessed in an unauthorized manner would not be used unlawfully.

Other rights not affected

34(5)       The right of action under this section is in addition to any other right of action or remedy available at law.  But where the court deems it just, damages awarded in an action under this section may be taken into account in assessing damages in any other proceeding arising out of the failure of the organization to protect personal information in its custody or under its control.

Retention of information

35          Notwithstanding that a consent has been withdrawn or varied under section 9, an organization may for legal or business purposes retain personal information as long as is reasonable.

PART 5 PROFESSIONAL REGULATORY AND NON-PROFIT ORGANIZATIONS

Professional regulatory organizations

36(1)       The following definitions apply in this section.

"member" means a member of a professional regulatory organization. (« membre »)

"personal information code" means a code governing the collection, use and disclosure of personal information in a manner that is consistent with the purposes and intent of sections 1 to 35 of this Act. (« code régissant les renseignements personnels »)

"professional Act" means an enactment under which a professional or occupational group or discipline is organized and that provides for the membership in and the regulation of the members of the professional or occupational group or discipline, including the registration, competence, conduct, practice and discipline of its members. (« loi professionnelle »)

"professional regulatory organization" means an organization incorporated under a professional Act. (« organisme de réglementation professionnelle »)

Regulations re professional regulatory organizations

36(2)       The Lieutenant Governor in Council may make regulations

(a) authorizing a professional regulatory organization to establish a personal information code;

(b) governing personal information codes established under this Part and the requirements to be met by those codes;

(c) establishing and governing or otherwise providing for an arrangement, plan or other type of program under which the minister may, subject to any terms or conditions imposed by the minister,

(i) grant an authorization to a professional regulatory organization authorizing the professional regulatory organization to collect, use and disclose personal information pursuant to a personal information code, and

(ii) direct that, during the period that the code is in effect,

(A) the code, with respect to matters provided for under the code, is to operate in the place of sections 1 to 35, or any one or more of those provisions, insofar as the code provides for those matters, and

(B) compliance by the professional regulatory organization with the code, the terms or conditions, if any, imposed by the minister under subsection (3) is deemed to be in compliance with sections 1 to 35, or any one or more of those provisions, insofar as the code operates in the place of those provisions;

(d) governing the granting of, revoking of and varying of any authorization or direction and any terms or conditions provided for in clause (c);

(e) governing the coming into force of this Act or any provision of this Act with respect to a professional regulatory organization;

(f) providing that this Act or any provision of this Act commences to apply to a professional regulatory organization at a date that is later than the date upon which this Act is proclaimed into force;

(g) providing for and governing any transitional matter relating to the application of this Act to a professional regulatory organization.

Regulation my be general or specific

36(3)       Any regulation made under this section may be general or specific in its application.

Non-profit organizations

37(1)       The following definitions apply in this section.

"commercial activity" means any transaction, act or conduct or any regular course of conduct that is of a commercial character and, without restricting the generality of the foregoing, includes the following:

(a) the selling, bartering or leasing of membership, donor or other fundraising lists;

(b) the operation of a private school as defined in The Education Administration Act. (« activité commerciale »)

"non-profit organization" includes an organization that meets the criteria established under the regulations to qualify as a non-profit organization. (« organisme à but non lucratif »)

Exception re non-profit organizations

37(2)       Subject to subsection (3), this Act does not apply to a non-profit organization or any personal information that is in the custody of or under the control of a non-profit organization.

Act applies to commercial activity

37(3)       This Act applies to a non-profit organization in the case of personal information that is collected, used or disclosed by the non-profit organization in connection with any commercial activity carried out by the non-profit organization.

Regulations re non-profit organizations

37(4)        The Lieutenant Governor in Council may make regulations

(a) establishing the criteria to be met by an organization to qualify as a non-profit organization;

(b) establishing the criteria to be met by non-profit organizations to qualify as non-profit organizations that are restricted or otherwise limited in the scope of their operations and exempting those non-profit organizations from the operation of subsection (3);

(c) governing the coming into force of this Act or any provision of this Act with respect to a non-profit organization;

(d) providing that this Act or any provision of this Act commences to apply to a non-profit organization at a date that is later than the date upon which it is proclaimed into force;

(e) providing for and governing any transitional matter relating to the application of this Act to a non-profit organization.

Regulation may be general or specific

37(5)       Any regulation made under this section may be general or specific in its application.

PART 6

GENERAL PROVISIONS

Protection of organization from legal actions

38          No action lies and no proceeding may be brought against an organization, or any person acting on behalf of or under the direction of an organization, for damages resulting from

(a) the disclosure of or failure to disclose, in good faith, all or part of a record or personal information under this Act, or any consequences of that disclosure or failure to disclose; or

(b) the failure to give a notice required under this Act, if reasonable care was taken to give the required notice.

Protection of employee

39          An organization shall not take any adverse employment action against an employee of the organization, or deny an employee a benefit, on account of or for any reason arising out of the situation where

(a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Ombudsman that the organization or any other person has contravened or is about to contravene this Act;

(b) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act;

(c) the employee, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of this Act; or

(d) the organization believes that the employee will do anything described in clause (a), (b) or (c).

Exercise of rights by other persons

40(1)       Any right or power conferred on an individual by this Act may be exercised

(a) if the individual is 18 years of age or older, by the individual;

(b) if the individual is under 18 years of age and understands the nature of the right or power and the consequences of exercising the right or power, by the individual;

(c) if the individual is under 18 years of age but does not meet the criterion in clause (b), by the guardian of the individual;

(d) if the individual is deceased, by the individual's personal representative if the exercise of the right or power relates to the administration of the individual's estate;

(e) if a committee or substitute decision maker has been appointed for the individual under The Mental Health Act or The Vulnerable Persons Living with a Mental Disability Act, by the committee or substitute decision maker if the exercise of the right or power relates to the powers and duties of the committee or substitute decision maker;

(f) if a proxy has been designated under a health care directive under The Health Care Directives Act, by the proxy if the directive so authorizes;

(g) if a power of attorney has been granted by the individual, by the attorney if the exercise of the right or power relates to the powers and duties conferred by the power of attorney; or

(h) by any person with written authorization from the individual to act on the individual's behalf.

Who notice may be given to

40(2)       Any notice or communication to be given to an individual under this Act may be given to the person entitled to exercise the individual's rights or powers referred to in subsection (1).

Offences

41(1)       Subject to subsection (3), a person commits an offence if the person

(a) willfully collects, uses or discloses personal information in contravention of Part 2;

(b) willfully attempts to gain or gains access to personal information in contravention of this Act; or

(c) disposes of or alters, falsifies, conceals or destroys personal information or any record relating to personal information, or directs another person to do so, with an intent to evade a request for access to the information or the record.

Penalties

41(2)       A person who commits an offence under subsection (1) is liable on summary conviction,

(a) in the case of an individual, to a fine of not more than $10,000.; and

(b) in the case of a person other than an individual, to a fine of not more than $100,000.

No offence if action reasonable

41(3)       Neither an organization nor an individual is guilty of an offence under this Act if it is established to the satisfaction of the court that the organization or individual, as the case may be, acted reasonably in the circumstances that gave rise to the offence.

General regulations

42(1)       The Lieutenant Governor in Council may make regulations

(a) defining, for the purposes of this Act, any term that is used in this Act but is not defined in this Act;

(b) governing procedures to be followed in making and responding to requests under this Act and for gaining and giving access to personal information or records;

(c) governing the giving of consent and any other direction under this Act;

(d) governing the application of this Act to persons who collect, use or disclose personal information in the course of carrying out investigations or similar inquiries as part of their functions or duties pursuant to an authority given to those persons under an enactment or in the course of acting as peace officers;

(e) governing the collection, use and disclosure of personal information for archival purposes or research and respecting requirements concerning archival purposes or research;

(f) expressly providing that another enactment or a provision of it prevails notwithstanding this Act;

(g) governing forms or notices to be used under this Act and the manner in which notices are to be given;

(h) governing fees, including circumstances in which fees

(i) are or are not payable, or

(ii) must not be above a prescribed amount or percentage;

(i) respecting the application of this Act to a public body;

(j) prescribing additional subject matter in respect of which or circumstances under which personal information or a specific type of personal information may be collected, used or disclosed without the consent of the individual that are in addition to the subject matter in respect of which or circumstances under which personal information may be collected, used or disclosed without the consent of the individual under section 14, 17 or 20;

(k) prescribing or otherwise determining whether or not personal information or a specific type of personal information does or does not come within the meaning of a provision of section 14, 15, 17, 18, 20, 21 or 22 under which personal information may be collected, used or disclosed without the consent of the individual;

(l) specifying information or classes of information for the purpose of clauses 14(e), 17(e) and 20(j);

(m) prescribing or otherwise determining whether or not personal information or a specific type of personal information does or does not come within the meaning of a provision of subsection 4(3);

(n) prescribing reasonable security arrangements that must be made by organizations which possess or control personal information.

Application of regulation

42(2)       Where a regulation made

(a) under clause (1)(j) prescribes additional subject matter with respect to which or circumstances under which personal information may be collected, used or disclosed without the consent of the individual, that information is to be treated in the same manner as if it had been collected, used or disclosed under section 14, 17 or 20, as the case may be;

(b) under clause (1)(k) prescribes or otherwise determines that personal information

(i) comes within the meaning of a provision of section 14, 15, 17, 18, 20, 21 or 22, as the case may be, that information is to be treated in the same manner as any other personal information that is dealt with under that provision, or

(ii) does not come within the meaning of a provision of section 14, 15, 17, 18, 20, 21 or 22, as the case may be, that information is to be treated in the same manner as any other personal information that does not come within the meaning of that provision; and

(c) under clause (1)(l) prescribes or otherwise determines that personal information

(i) comes within the meaning of a provision of subsection 4(3), that information is to be treated in the same manner as any other personal information that comes within the meaning of that provision, or

(ii) does not come within the meaning of a provision of subsection 4(3), that information is to be treated in the same manner as any other personal information that does not come within the meaning of that provision.

Regulation may be general or specific

42(3)       A regulation made under subsection (1) may be general or specific in its application.

Review of Act

43(1)       Eighteen months after this Act comes into force and at least once every three years thereafter, a special committee of the Legislative Assembly must undertake a comprehensive review of this Act and must submit a report respecting this Act to the Legislative Assembly within 18 months after beginning the review.

Content of report

43(2)       A report submitted under subsection (1) may include any amendments to this Act or any other Act that are recommended by the committee.

C.C.S.M. reference

44          This Act may be referred to as chapter P33.7 of the Continuing Consolidation of the Statutes of Manitoba.

Coming into force

45          This Act comes into force on a day to be fixed by proclamation.

Explanatory Note

This Bill governs the collection, use and disclosure of personal information by organizations in the private sector.  It also establishes a duty for those organizations to notify individuals who may be affected when the personal information the organization has collected is lost, stolen or compromised.