Information Security – Know The Laws Of Your Province

Information security regulations are vital for ensuring the protection of personal information in workplaces. These regulations require employers to develop and maintain policies that safeguard data from unauthorized access, use, or disclosure. Key measures include limiting the collection of information to necessary purposes, ensuring secure storage and transmission, and training employees on privacy responsibilities. While general privacy principles are consistent across Canada, specific regulations vary by province and territory to address unique legal and operational requirements. Compliance with these regulations minimizes risks, protects individual rights, and promotes a culture of accountability and trust in the workplace.

FEDERAL

In Canada, employers must address information security under the Privacy Act Sections 4, 6(1), and 8, and the Canadian Human Rights Act Sections 3 and 12. Employers must ensure that personal information is collected only for authorized purposes, securely retained, and disclosed only as permitted by law. They must also prevent discriminatory use or publication of personal data. Strong information security practices protect privacy, ensure fairness, and maintain trust in the workplace.

Privacy Act

Collection, Retention, and Disposal of Personal Information

Collection of Personal Information

No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution. Section 4.

Retention of Personal Information Used for an Administrative Purpose

(1) Personal information that has been used by a government institution for an administrative purpose shall be retained by the institution for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information. Section 6.

Protection of Personal Information

Disclosure of Personal Information

(1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.

Where personal information may be disclosed:

(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed:

(a) for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose;

(b) for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure;

(c) for the purpose of complying with a subpoena or warrant issued or order made by a court, person or body with jurisdiction to compel the production of information or for the purpose of complying with rules of court relating to the production of information;

(d) to the Attorney General of Canada for use in legal proceedings involving the Crown in right of Canada or the Government of Canada;

(e) to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed;

(f) for the purpose of administering or enforcing any law or carrying out a lawful investigation, under an agreement or arrangement between the Government of Canada or any of its institutions and any of the following entities or any of their institutions:

(i) the government of a foreign state,

(ii) an international organization of states or an international organization established by the governments of states,

(iii) the government of a province,

(iv) the council of the Westbank First Nation,

(v) the council of a participating First Nation as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act,

(vi) the council of a participating First Nation as defined in section 2 of the Anishinabek Nation Education Agreement Act,

(vii) a First Nation Government or the Anishinabek Nation Government, as defined in section 2 of the Anishinabek Nation Governance Agreement Act, or an Anishinaabe Institution, within the meaning of section 1.1 of the Agreement, as defined in section 2 of that Act,

(vii.1) the Whitecap Dakota Government, as defined in section 2 of the Self-Government Treaty Recognizing the Whitecap Dakota Nation / Wapaha Ska Dakota Oyate Act;

(g) to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem;

(h) to officers or employees of the institution for internal audit purposes, or to the office of the Comptroller General or any other person or body specified in the regulations for audit purposes;

(i) to the Library and Archives of Canada for archival purposes;

(j) to any person or body for research or statistical purposes if the head of the government institution:

(i) is satisfied that the purpose for which the information is disclosed cannot reasonably be accomplished unless the information is provided in a form that would identify the individual to whom it relates, and

(ii) obtains from the person or body a written undertaking that no subsequent disclosure of the information will be made in a form that could reasonably be expected to identify the individual to whom it relates;

(k) to any aboriginal government, association of aboriginal people, Indian band, government institution or part thereof, or to any person acting on behalf of such government, association, band, institution or part thereof, for the purpose of researching or validating the claims, disputes or grievances of any of the aboriginal peoples of Canada;

(l) to any government institution for the purpose of locating an individual in order to collect a debt owing to Her Majesty in right of Canada by that individual or make a payment owing to that individual by Her Majesty in right of Canada; and

(m) for any purpose where, in the opinion of the head of the institution,

(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or

(ii) disclosure would clearly benefit the individual to whom the information relates. Section 8 (1) to (3).

Canadian Human Rights Act

PART I – Proscribed Discrimination

General – Prohibited Grounds of Discrimination

(1) For all purposes of this Act, the prohibited grounds of discrimination are race, national or ethnic origin, colour, religion, age, sex, sexual orientation, gender identity or expression, marital status, family status, genetic characteristics, disability, and conviction for an offence for which a pardon has been granted or in respect of which a record suspension has been ordered.

(2) Where the ground of discrimination is pregnancy or childbirth, the discrimination shall be deemed to be on the ground of sex.

(3) Where the ground of discrimination is refusal of a request to undergo a genetic test or to disclose, or authorize the disclosure of, the results of a genetic test, the discrimination shall be deemed to be on the ground of genetic characteristics. Section 3 (1) to (3).

For more information:

Personal information disclosed by Library and Archives of Canada. Section 8 (3).
Copies of requests under paragraph (2)(e) to be retained. Section 8 (4).
Notice of disclosure under paragraph (2)(m). Section 8 (5).
PART I – Proscribed Discrimination. Section 3 (1) to (3).
Multiple grounds of discrimination. Section 3.1.
Publication of discriminatory notices, etc. Section 12.

Further details on the Privacy Act and Canadian Human Rights Act.

ALBERTA

In Alberta, employers must address information security under the Personal Information Protection Act Sections 6 and 34, and the Freedom of Information and Protection of Privacy Act Sections 33, 38, and 40. Employers must develop and follow clear policies for protecting personal information, ensure reasonable security arrangements, and control collection, use, and disclosure in accordance with the law.

Personal Information Protection Act

Policies and Practices

(1) An organization must develop and follow policies and practices that are reasonable for the organization to meet its obligations under this Act.

(2) If an organization uses a service provider outside Canada to collect, use, disclose or store personal information for or on behalf of the organization, the policies and practices referred to in subsection (1) must include information regarding:

(a) the countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and

(b) the purposes for which the service provider outside Canada has been authorized to collect, use or disclose personal information for or on behalf of the organization.

(3) An organization must make written information about the policies and practices referred to in subsections (1) and (2) available on request. Section 6 (1) to (3).

Freedom of Information and Protection of Privacy Act

Disclosure of Personal Information

(1) A public body may disclose personal information only:

(a) in accordance with Part 1,

(b) if the disclosure would not be an unreasonable invasion of a third party’s personal privacy under section 17,

(d) if the individual the information is about has identified the information and consented, in the prescribed manner, to the disclosure,

(e) for the purpose of complying with an enactment of Alberta or Canada or with a treaty, arrangement or agreement made under an enactment of Alberta or Canada,

(f) for any purpose in accordance with an enactment of Alberta or Canada that authorizes or requires the disclosure,

(g) for the purpose of complying with a subpoena, warrant or order issued or made by a court, person or body having jurisdiction in Alberta to compel the production of information or with a rule of court binding in Alberta that relates to the production of information,

(h) to an officer or employee of the public body or to a member of the Executive Council, if the information is necessary for the performance of the duties of the officer, employee or member,

(i) to an officer or employee of a public body or to a member of the Executive Council, if the disclosure is necessary for the delivery of a common or integrated program or service and for the performance of the duties of the officer or employee or member to whom the information is disclosed,

(j) for the purpose of enforcing a legal right that the Government of Alberta or a public body has against any person,

(k) for the purpose of:

(i) collecting a fine or debt owing by an individual to the Government of Alberta or to a public body, or to an assignee of either of them, or

(ii) making a payment owing by the Government of Alberta or by a public body to an individual,

(l) for the purpose of determining or verifying an individual’s suitability or eligibility for a program or benefit,

(m) to the Auditor General or any other prescribed person or body for audit purposes,

(n) to a member of the Legislative Assembly who has been requested by the individual the information is about to assist in resolving a problem,

(o) to a representative of a bargaining agent who has been authorized in writing by the employee the information is about to make an inquiry,

(p) to the Provincial Archives of Alberta or to the archives of a public body for permanent preservation,

(q) to a public body or a law enforcement agency in Canada to assist in an investigation:

(i) undertaken with a view to a law enforcement proceeding, or

(ii) from which a law enforcement proceeding is likely to result,

(r) if the public body is a law enforcement agency and the information is disclosed:

(i) to another law enforcement agency in Canada, or

(ii) to a law enforcement agency in a foreign country under an arrangement, written agreement, treaty, or legislative authority,

(s) so that the spouse or adult interdependent partner, relative or friend of an injured, ill or deceased individual may be contacted,

(t) in accordance with section 42 or 43,

(u) to an expert for the purposes of section 18(2),

(v) for use in a proceeding before a court or quasi-judicial body to which the Government of Alberta or a public body is a party,

(w) when disclosure is by the Minister of Justice or an agent or lawyer of the Minister of Justice to a place of lawful detention,

(x) for the purpose of managing or administering personnel of the Government of Alberta or the public body,

(y) to the Director of Maintenance Enforcement for the purpose of enforcing a maintenance order under the Maintenance Enforcement Act,

(z) to an officer of the Legislature, if the information is necessary for the performance of the duties of that officer,

(aa) for the purpose of supervising an individual under the control or supervision of a correctional authority,

(bb) when the information is available to the public,

(bb.1) if the personal information is information of a type routinely disclosed in a business or professional context and the disclosure:

(i) is limited to an individual’s name and business contact information, including business title, address, telephone number, facsimile number and e-mail address, and

(ii) does not reveal other personal information about the individual or personal information about another individual,

(cc) to the surviving spouse or adult interdependent partner or a relative of a deceased individual if, in the opinion of the head of the public body, the disclosure is not an unreasonable invasion of the deceased’s personal privacy,

(dd) to a lawyer or student-at-law acting for an inmate under the control or supervision of a correctional authority,

(ee) if the head of the public body believes, on reasonable grounds, that the disclosure will avert or minimize:

(i) a risk of harm to the health or safety of a minor, or

(ii) an imminent danger to the health or safety of any person, (ff) to the Administrator of the Motor Vehicle Accident Claims Act or to an agent or lawyer of the Administrator for the purpose of dealing with claims under that Act, or

(gg) to a law enforcement agency, an organization providing services to a minor, another public body or any prescribed person or body if the information is in respect of a minor or a parent or guardian of a minor and the head of the public body believes, on reasonable grounds, that the disclosure is in the best interests of that minor.

(2) Notwithstanding subsection:

(1), a post-secondary educational body may disclose personal information in its alumni records for the purpose of fund-raising activities of the post-secondary educational body if the post-secondary educational body and the person to whom the information is disclosed have entered into a written agreement:

(a) that allows individuals a right of access to personal information that is disclosed about them under this subsection, and

(b) that provides that the person to whom the information is disclosed must discontinue using the personal information of any individual who so requests.

(3) Notwithstanding subsection (1), a post-secondary educational body may, for the purpose of assisting students in selecting courses, disclose teaching and course evaluations that were completed by students.

(4) A public body may disclose personal information only to the extent necessary to enable the public body to carry out the purposes described in subsections (1), (2) and (3) in a reasonable manner. Section 40 (1) to (4).

For more information:

Division 2 – Care of Personal Information. Sections 34.
Purpose of collection of information. Sections 33.
Protection of personal information. Sections 38.

Further details on the Personal Information Protection Act and Freedom of Information and Protection of Privacy Act.

BRITISH COLUMBIA

In British Columbia, employers must address information security under the Personal Information Protection Act Sections 14 to 22, 34, and the Freedom of Information and Protection of Privacy Act Sections 26 and 30. Employers must develop and follow clear policies to protect personal information, limit its use and disclosure, and ensure reasonable security safeguards.

Part 5 — Use of Personal Information

Limitations on Use of Personal Information

Subject to this Act, an organization may use personal information only for purposes that a reasonable person would consider appropriate in the circumstances and that:

(a) fulfill the purposes that the organization discloses under section 10 (1),

(b) for information collected before this Act comes into force, fulfill the purposes for which it was collected, or

Use of Personal Information Without Consent

(1) An organization may use personal information about an individual without the consent of the individual, if:

(a) the use is clearly in the interests of the individual and consent cannot be obtained in a timely way,

(b) the use is necessary for the medical treatment of the individual and the individual does not have the legal capacity to give consent,

(c) it is reasonable to expect that the use with the consent of the individual would compromise an investigation or proceeding and the use is reasonable for purposes related to an investigation or a proceeding,

(d) the personal information is collected by observation at a performance, a sports meet or a similar event:

(i) at which the individual voluntarily appears, and

(ii) that is open to the public,

(e) the personal information is available to the public from a source prescribed for the purposes of this paragraph,

(f) the use is necessary to determine suitability:

(i) to receive an honour, award, or similar benefit, including an honorary degree, scholarship or bursary, or

(ii) to be selected for an athletic or artistic purpose,

(g) the personal information is used by a credit reporting agency to create a credit report if the individual consented to the disclosure for this purpose,

(h) the use is required or authorized by law,

(h.1) the personal information was collected by the organization under section 12 (1) (k) or (l) and is used to fulfill the purposes for which it was collected,

(i) the personal information was disclosed to the organization under sections 18 to 22,

(j) the personal information is needed to facilitate:

(i) the collection of a debt owed to the organization, or

(ii) the payment of a debt owed by the organization,

(k) a credit reporting agency is permitted to collect the personal information without consent under section 12 and the information is not used by the credit reporting agency for any purpose other than to create a credit report, or

(l) the use is necessary to respond to an emergency that threatens the life, health or security of an individual.

(2) An organization may use personal information collected from or on behalf of another organization without the consent of the individual to whom the information relates, if:

(a) the individual consented to the use of the personal information by the other organization, and

(b) the personal information is used by the organization solely:

(i) for the purposes for which the information was previously collected, and

(ii) to assist that organization to carry out work on behalf of the other organization. Section 15 (1)(2).

Use of Employee Personal Information

(1) Subject to subsection (2), an organization may use employee personal information without the consent of the individual.

(2) An organization may not use employee personal information without the consent of the individual unless:

(a) section 15 allows the use of the employee personal information without consent, or

(b) the use is reasonable for the purposes of establishing, managing or terminating an employment relationship between the organization and the individual.

(3) An organization must notify an individual that it will be using employee personal information about the individual and the purposes for the use before the organization uses the employee personal information without the consent of the individual.

(4) Subsection (3) does not apply to employee personal information if section 15 allows it to be used without the consent of the individual. Section 16 (1) to (4).

Part 3 — Protection of Privacy

Division 1 — Collection, Protection and Retention of Personal Information by Public Bodies

Purpose for Which Personal Information may be Collected

A public body may collect personal information only if:

(a) the collection of the information is expressly authorized under an Act,

(b) the information is collected for the purposes of law enforcement,

(d) with respect to personal information collected for a prescribed purpose,

(i) the individual the information is about has consented in the prescribed manner to that collection, and

(ii) a reasonable person would consider that collection appropriate in the circumstances,

(e) the information is necessary for the purposes of planning or evaluating a program or activity of a public body,

(f) the information is necessary for the purpose of reducing the risk that an individual will be a victim of domestic violence, if domestic violence is reasonably likely to occur,

(g) the information is collected by observation at a presentation, ceremony, performance, sports meet or similar event:

(i) at which the individual voluntarily appears, and

(ii) that is open to the public, or:

(h) the information is personal identity information that is collected by:

(i) a provincial identity information services provider and the collection of the information is necessary to enable the provincial identity information services provider to provide services under section 69.2, or

(ii) a public body from a provincial identity information services provider and the collection of the information is necessary to enable:

(A) the public body to identify an individual for the purpose of providing a service to the individual, or

(B) the provincial identity information services provider to provide services under section 69.2. Section 26.

Protection of Personal Information

A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized collection, use, disclosure or disposal. Section 30.

For more information:

Transfer of personal information in the sale of an organization or its business assets. Sections 20 (1) to (4).
Disclosure for research or statistical purposes. Sections 21 (1)(2).
Disclosure for archival or historical purposes. Sections 22 (a) to (d).

Further details on the Personal Information Protection Act and Freedom of Information and Protection of Privacy Act.

MANITOBA

In Manitoba, employers must address information security under The Freedom of Information and Protection of Privacy Act Sections 30, 36–41.2. Employers, particularly public bodies, are responsible for ensuring personal information is collected lawfully, limited to what is necessary, protected through reasonable safeguards, and retained according to clear policies. They must also notify individuals and the Ombudsman in case of privacy breaches that could pose significant harm. Proper handling of personal information protects individuals’ rights, builds public trust, and ensures compliance with provincial legal standards.

CONFIDENTIAL EVALUATIONS

Confidential Evaluations About the Applicant

(1) The head of a public body may refuse to disclose to an applicant personal information that has been provided in confidence, explicitly or implicitly, for purposes of determining the applicant’s suitability, eligibility or qualifications for employment, or for the purpose of awarding a contract.

Exception

(2) Subsection (1) does not apply to information that the public body is required to provide to the applicant under The Personal Investigations Act. Section 30 (1)(2).

Division 2 – Collection, Correction and Retention of Personal Information

COLLECTION OF INFORMATION

Purpose of Collection of Information

(1) No personal information may be collected by or for a public body unless:

(a) collection of the information is authorized by or under an enactment of Manitoba or of Canada;

(b) the information relates directly to and is necessary for an existing service, program or activity of the public body; or

Limit on Amount of Information Collected

(2) A public body shall collect only as much personal information about an individual as is reasonably necessary to accomplish the purpose for which it is collected. Section 36 (1)(2).

Manner of Collection

(1) Personal information must be collected by or for a public body directly from the individual the information is about unless:

(a) another method of collection is authorized by that individual, or by an enactment of Manitoba or Canada;

(b) collection of the information directly from the individual could reasonably be expected to cause harm to the individual or to another person;

(c) collection of the information is in the interest of the individual and time or circumstances do not permit collection directly from the individual;

(d) collection of the information directly from the individual could reasonably be expected to result in inaccurate information being collected;

(e) the information may be disclosed to the public body under Division 3 of this Part;

(f) the information is collected for inclusion in a public registry;

(g) the information is collected for law enforcement purposes or crime prevention;

(h) the information is collected for the purpose of existing or anticipated legal proceedings to which the Government of Manitoba or the public body is a party;

(i) the information is collected for use in providing legal advice or legal services to the Government of Manitoba or the public body;

(j) the information concerns:

(i) the history, release, or supervision of an individual in the custody of or under the control or supervision of a correctional authority, or

(ii) the security of a correctional institution;

(k) the information is collected for the purpose of enforcing a support order under The Family Support Enforcement Act;

(l) the information is collected for the purpose of informing The Public Guardian and Trustee or the Commissioner for Adults Living with an Intellectual Disability about clients or potential clients;

(m) the information is collected for the purpose of:

(i) determining the eligibility of an individual to participate in a program of or receive a benefit or service from the Government of Manitoba or the public body and is collected in the course of processing an application made by or on behalf of the individual the information is about, or

(ii) verifying the eligibility of an individual who is participating in a program of or receiving a benefit or service from the Government of Manitoba or the public body;

(n) the information is collected for the purpose of:

(i) determining the amount of or collecting a fine, debt, tax or payment owing to the Government of Manitoba or the public body, or an assignee of either of them, or

(ii) making a payment;

(o) the information is collected for the purpose of managing or administering personnel of the Government of Manitoba or the public body;

(p) the information is collected for the purpose of auditing, monitoring or evaluating the activities of the Government of Manitoba or the public body; or

(q) the information is collected for the purpose of determining suitability for an honour or award, including an honourary degree, scholarship, prize or bursary.

Individual Must be Informed

(2) A public body that collects personal information directly from the individual the information is about shall inform the individual of:

(a) the purpose for which the information is collected;

(b) the legal authority for the collection; and

(c) the title and contact information of an officer or employee of the public body who can answer the individual’s questions about the collection.

When Notice not Required

(3) A public body need not comply with subsection (2) if it has recently provided the individual with the information referred to in that subsection about the collection of the same or similar personal information for the same or a related purpose. Section 37 (1) to (3).

For more information:

ACCURACY OF INFORMATION. Sections 38.
CORRECTION OF INFORMATION. Sections 39 (1) to (6).
RETENTION AND SECURITY OF INFORMATION. Sections 40 (1) to 41.2 (4).

Further details on the Freedom of Information and Protection of Privacy Act can be found at gov.mb.ca.

NEW BRUNSWICK

In New Brunswick, employers and public bodies must protect personal information under the Right to Information and Protection of Privacy Act, Sections 37 to 39, and the Personal Health Information Privacy and Access Act, Sections 37, 41, and 56. They are responsible for collecting only necessary information, ensuring its accuracy, retaining it properly, and safeguarding it against unauthorized access or disclosure. Disclosure of personal or health information without consent is strictly limited to specific legal circumstances, and privacy impact assessments are mandatory for new or significantly changed information systems.

PROTECTION OF PRIVACY

Collection, Correction, and Retention of Personal Information

Collection of Personal Information

(1) Personal information may be collected by or for a public body only if the collection of the information is authorized or required by or under an Act of the Legislature or an Act of the Parliament of Canada.

(2) Despite subsection (1), personal information may also be collected by or for a public body without the collection of the information being authorized or required by or under an Act of the Legislature or an Act of the Parliament of Canada if:

(a) the information relates directly to and is necessary for:

(i) a service, program or activity of the public body, or

(ii) a common or integrated service, program or activity,

(b) the information is collected for law enforcement purposes, or

(c) the information is collected by or for the public body for the purpose for which the information was disclosed to it under a provision of section 46 or 46.1.

(3) A public body shall collect only as much personal information about an individual as is reasonably necessary to accomplish the purpose for which it is collected. Section 37 (1)to (3).

Collection of Personal Information by the Minister of Health or a Research Data Centre

(1) Despite section 37, personal information may also be collected by or for the Minister of Health or a research data centre in accordance with the agreement referred to in paragraph 47.1(1)(b).

(2) The personal information collected under subsection (1) shall be collected from a public body or from another body prescribed by regulation. Section 37.1 (1)(2).

Personal Health Information Privacy and Access Act

Restrictions on Disclosure of Information

Disclosure for Health-Related Purposes

(1) Subject to subsection (2), the custodian may disclose an individual’s personal health information if:

(a) the individual or his or her substitute decision-maker is the recipient of the disclosure, or

(b) the individual or his or her substitute decision-maker consents to the disclosure.

(2) A custodian may disclose an individual’s personal health information without the consent of the individual:

(a) to a person who is providing or has provided health care to the individual, to the extent necessary to provide health care to the individual, unless the individual has instructed the custodian not to make the disclosure,

(i) if it is not possible to obtain the consent of the individual in a timely manner, or

(ii) if the individual has been admitted to a psychiatric facility as an involuntary patient under the Mental Health Act, or

(b) for the purpose of contacting a relative, friend or the substitute decision-maker of an individual who is not capable of giving consent personally.

(3) If a custodian discloses personal health information relating to an individual under paragraph (2)(a) and an express request of the individual prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care to the individual, the custodian shall notify the person to whom it makes disclosure of that fact.

(4) A custodian that is a regional health authority may disclose personal health information relating to an individual who is a patient of the regional health authority to a person that the regional health authority reasonably believes is a member of the individual’s immediate family, a relative or a person with whom the individual has a close personal relationship if:

(a) the regional health authority offers the individual the option, at the first reasonable opportunity after admission to the regional health authority, to object to that disclosure and the individual does not do so, and

(b) the disclosure is made in accordance with accepted professional practice.

(5) A custodian may disclose personal health information relating to an individual who is deceased or presumed to be deceased:

(a) for the purpose of identifying the individual,

(b) for the purpose of informing a person whom it is reasonable to inform in the circumstances of the fact that the individual is deceased or presumed to be deceased and the circumstances of the death, if appropriate,

(d) to a spouse, common-law partner, sibling or descendant of the individual if the recipient of the information reasonably requires the information to make decisions about his or her own health care or the health care of his or her child or if the disclosure is necessary to provide health care to the recipient, or

(e) for research purposes under section 43 if the information has been de-identified.

(5.1) A custodian may disclose personal health information relating to an individual without the consent of the individual:

(a) to the chief medical officer of health or other medical officers of health if the disclosure is required by another Act of the Legislature or the Parliament of Canada, or

(b) to a public health authority established under an Act of the Parliament of Canada, an Act of another province or territory or an Act of another jurisdiction if the disclosure is made for a public health purpose. Section 37 (1) to (5.1).

For more information:

Manner of collection. Sections 38 (1) to (3).
Accuracy of personal information. Sections 39.
Disclosure for enforcement purposes. Sections 41 (1)(2).
Privacy impact assessment. Sections 56 (1)(2).

Further details on the Right to Information and Protection of Privacy Act and Personal Health Information Privacy and Access Act.

NEWFOUNDLAND & LABRADOR

In Newfoundland and Labrador, employers and public bodies must protect personal information under the Access to Information and Protection of Privacy Act Sections 60, 61, 62, 64(1) and the Personal Health Information Act Sections 15 and 29. They are responsible for ensuring that personal and health information is collected lawfully, used appropriately, and protected against unauthorized access, loss, or disclosure. Specific obligations include limiting collection to necessary purposes, securing records throughout their lifecycle, and notifying individuals and the commissioner in the event of significant breaches.

Access to Information and Protection of Privacy Act

Disposition of Appeal

(1) On hearing an appeal the Trial Division may:

(a) where it determines that the head of the public body is authorized to refuse access to a record under this Part and, where applicable, it has not been clearly demonstrated that the public interest in disclosure of the information outweighs the reason for the exception, dismiss the appeal;

(b) where it determines that the head of the public body is required to refuse access to a record under this Part, dismiss the appeal; or

(c) where it determines that the head is not authorized or required to refuse access to all or part of a record under this Part,

(i) order the head of the public body to give the applicant access to all or part of the record, and

(ii) make an order that the court considers appropriate.

(2) Where the Trial Division finds that a record or part of a record falls within an exception to access under this Act and, where applicable, it has not been clearly demonstrated that the public interest in disclosure of the information outweighs the reason for the exception, the court shall not order the head to give the applicant access to that record or part of it, regardless of whether the exception requires or merely authorizes the head to refuse access.

(3) Where the Trial Division finds that to do so would be in accordance with this Act or the regulations, it may order that personal information be corrected and the manner in which it is to be corrected. Section 60 (1) to (3).

PART III – PROTECTION OF PERSONAL INFORMATION

DIVISION 1 – COLLECTION, USE, AND DISCLOSURE

Purpose for Which Personal Information may be Collected

No personal information may be collected by or for a public body unless:

(a) the collection of that information is expressly authorized by or under an Act;

(b) that information is collected for the purposes of law enforcement; or

(c) that information relates directly to and is necessary for an operating program or activity of the public body. Section 61.

Personal Health Information Act

Security

(1) A custodian shall take steps that are reasonable in the circumstances to ensure that:

(a) personal health information in its custody or control is protected against theft, loss and unauthorized access, use, or disclosure;

(b) records containing personal health information in its custody or control are protected against unauthorized copying or modification; and

(c) records containing personal health information in its custody or control are retained, transferred and disposed of in a secure manner.

(2) For the purpose of paragraph (1)(c), “disposed of in a secure manner” in relation to the disposition of a record of personal health information does not include the destruction of a record unless the record is destroyed in such a manner that the reconstruction of the record is not reasonably foreseeable in the circumstances.

(3) Except as otherwise provided in subsections (6) and (7), a custodian that has custody or control of personal health information shall notify the individual who is the subject of the information at the first reasonable opportunity where the information is:

(a) stolen;

(b) lost;

(d) disclosed to or accessed by an unauthorized person.

(4) Where a custodian reasonably believes that there has been a material breach as defined in the regulations involving the unauthorized collection, use, or disclosure of personal health information, that custodian shall inform the commissioner of the breach.

(5) Notwithstanding a circumstance where, under subsection (7), notification of an individual by a custodian is not required, the commissioner may recommend that the custodian, at the first reasonable opportunity, notify the individual who is the subject of the information.

(6) Where a custodian is a researcher who has received personal health information from another custodian under section 44, he or she may not notify an individual who is the subject of the information that the information has been stolen, lost, disposed of in an unauthorized manner or disclosed to or accessed by an unauthorized person unless the custodian who provided the information to the researcher first obtains the individual’s consent to contact by the researcher and informs the researcher that the individual has given consent.

(7) Subsection (3) and subsection 20(3) do not apply where the custodian reasonably believes that the theft, loss, unauthorized disposition, or improper disclosure or access of personal health information will not have an adverse impact upon:

(a) the provision of health care or other benefits to the individual who is the subject of the information; or

(b) the mental, physical, economic or social well-being of the individual who is the subject of the information.

(8) Notwithstanding subsection (1), a custodian that has custody or control of personal health information that is the subject of a request for access under subsection 53(1) or for correction under subsection 60(1) shall retain the information for as long as necessary to allow the individual to exhaust any recourse under this Act that he or she may have with respect to the request. Section 15 (1) to (8).

For more information:

How personal information is to be collected. Sections 62 (1) to (3).
Protection of personal information. Sections 6.4 (1).
Collection of personal health information with consent. Sections 29 (1) to (4).

Further details on the Access to Information and Protection of Privacy Act and Personal Health Information Act.

NOVA SCOTIA

In Nova Scotia, employers and public bodies must protect personal information under the Freedom of Information and Protection of Privacy Act Sections 24, 26, and 27. They are responsible for ensuring that personal information is collected only when authorized, used strictly for intended purposes, securely protected against unauthorized access, and retained properly to allow individuals access to their data. Disclosure is tightly regulated and permitted only under specific conditions such as consent, legal authority, or public safety concerns.

PROTECTION OF PERSONAL PRIVACY: COLLECTION, PROTECTION, RETENTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION

Disclosure of Personal Information

A public body may disclose personal information only:

(a) in accordance with this Act or as provided pursuant to any other enactment;

(b) if the individual the information is about has identified the information and consented in writing to its disclosure;

(d) for the purpose of complying with an enactment or with a treaty, arrangement or agreement made pursuant to an enactment;

(e) for the purpose of complying with a subpoena, warrant, summons or order issued or made by a court, person or body with jurisdiction to compel the production of information;

(f) to an officer or employee of a public body or to a minister, if the information is necessary for the performance of the duties of, or for the protection of the health or safety of, the officer, employee, or minister;

(g) to a public body to meet the necessary requirements of government operation;

(h) for the purpose of:

(i) collecting a debt or fine owing by an individual to His Majesty in right of the Province or to a public body, or

(ii) making a payment owing by His Majesty in right of the Province or by a public body to an individual;

(i) to the Auditor General or any other prescribed person or body for audit purposes;

(j) to a member of the House of Assembly who has been requested by the individual, whom the information is about, to assist in resolving a problem;

(k) to a representative of the bargaining agent who has been authorized in writing by the employee, whom the information is about, to make an inquiry;

(l) to the Public Archives of Nova Scotia, or the archives of a public body, for archival purposes;

(m) to a public body or a law-enforcement agency in Canada to assist in an investigation:

(i) undertaken with a view to a law-enforcement proceeding, or

(ii) from which a law-enforcement proceeding is likely to result;

(n) if the public body is a law-enforcement agency and the information is disclosed:

(i) to another law-enforcement agency in Canada, or

(ii) to a law-enforcement agency in a foreign country under an arrangement, written agreement, treaty or legislative authority;

(o) if the head of the public body determines that compelling circumstances exist that affect anyone’s health or safety;

(p) so that the next of kin or a friend of an injured, ill or deceased individual may be contacted; or

(q) in accordance with Section 29 or 30. Section 27 (a) to (q).

For more information:

Treatment of personal information. Sections 24 (1) to (4).

Further details on the Freedom of Information and Protection of Privacy Act can be found at nslegislature.ca.

NORTHWEST TERRITORIES

In the Northwest Territories, employers must follow the Access to Information and Protection of Privacy Act, Sections 40 to 43, 47, and 47.1 to protect personal information. Employers are responsible for collecting only necessary information, securing it against unauthorized access, and ensuring it is used and disclosed properly. Employees must not share personal information without authorization.

Part 2 – Protection of Privacy

Division A – Collection of Personal Information

Purpose of Collection of Information

No personal information may be collected by or for a public body unless:

(a) the collection of the information is expressly authorized by an enactment;

(b) the information is collected for the purposes of law enforcement; or

(i) an existing program or activity of the public body, or

(ii) a proposed program or activity where collection of the information has been authorized by the head with the approval of the Executive Council. Section 40.

Collection of Information from Individual Concerned

(1) A public body must, where reasonably possible, collect personal information directly from the individual the information relates to unless:

(a) another method of collection is authorized by that individual or by an enactment;

(b) the information may be disclosed to the public body under Division C of this Part;

(d) the information is collected for the purpose of collecting a fine or a debt owed to the Government of the Northwest Territories or a public body;

(e) the information concerns the history, release or supervision of an individual under the control or supervision of a correctional authority;

(f) the information is collected for the purpose of providing legal services to the Government of the Northwest Territories or a public body;

(g) the information:

(i) is necessary in order to determine the eligibility of an individual to participate in a program of or receive a benefit, product or service from the Government of the Northwest Territories or a public body and is collected in the course of processing an application made by or on behalf of the individual the information is about, or

(ii) is necessary in order to verify the eligibility of an individual who is participating in a program of or receiving a benefit, product or service from the Government of the Northwest Territories or a public body and is collected for that purpose;

(g.1) subject to the regulations, the information is disclosed to a public body, where the information is necessary for the delivery of a common or integrated program or service and for the performance of the duties of the officer or employee to whom the information is disclosed;

(h) the information is collected for the purpose of informing the Public Trustee about potential clients;

(i) the information is collected for the purpose of enforcing a maintenance order under the Maintenance Orders Enforcement Act; or

(j) the information is collected for the purpose of hiring, managing or administering personnel of the Government of the Northwest Territories or a public body. Section 41 (1).

DIVISION B – USE OF PERSONAL INFORMATION

Use of Personal Information

A public body may use personal information only:

(a) for the purpose for which the information was collected or compiled, or for a use consistent with that purpose;

(b) if the individual the information is about has identified the information and consented, in the prescribed manner, to the use; or

(c) for a purpose for which the information may be disclosed to that public body under Division C of this Part. Section 43.

DIVISION C – DISCLOSURE OF PERSONAL INFORMATION

Disclosure in Accordance with Part 1 or this Division

A public body may disclose personal information only:

(a) in accordance with Part 1; or

(b) in accordance with this Division. Section 47.

Duty of Employees

An employee shall not, without authorization, disclose any personal information received by the employee in the performance of services for a public body. Section 47.1.

For more information:

Notice to individual. Section 41 (2).
Section 41 (3).
Protection of personal information. Section 42.

Further details on the Access to Information and Protection of Privacy Act can be found at gov.nt.ca.

NUNAVUT

In Nunavut, employers must comply with the Access to Information and Protection of Privacy Act Part 2, Sections 40, 41, 42, 43, 47, and 48 to properly manage personal information. Employers are responsible for collecting only necessary information, informing individuals about the purpose, securing the data against risks like unauthorized access, and ensuring use and disclosure strictly follow authorized purposes.

PART 2 – PROTECTION OF PRIVACY

DIVISION A – COLLECTION OF PERSONAL INFORMATION

Purpose of Collection of Information

No personal information may be collected by or for a public body unless:

(a) the collection of the information is expressly authorized by an enactment;

(b) the information is collected for the purposes of law enforcement;

(i) an existing program or activity of the public body, or

(ii) a proposed program or activity where collection of the information has been authorized by the head with the approval of the Executive Council; or

(d) the collection of the information for research or statistical purposes is authorized by or under the Statistics Act.

Collection of Information from Individual Concerned

(1) A public body must, where reasonably possible, collect personal information directly from the individual the information relates to unless:

(a) another method of collection is authorized by that individual or by an enactment;

(b) the information may be disclosed to the public body under Division C of this Part;

(d) the information is collected for the purpose of collecting a fine or a debt owed to the Government of Nunavut or a public body;

(e) the information concerns the history, release or supervision of an individual under the control or supervision of a correctional authority;

(f) the information is collected for the purpose of providing legal services to the Government of Nunavut or a public body;

(g) the information:

(i) is necessary in order to determine the eligibility of an individual to participate in a program of or receive a benefit, product or service from the Government of Nunavut or a public body and is collected in the course of processing an application made by or on behalf of the individual the information is about, or

(ii) is necessary in order to verify the eligibility of an individual who is participating in a program of or receiving a benefit, product or service from the Government of Nunavut or a public body and is collected for that purpose;

(h) the information is collected for the purpose of informing the Public Trustee about potential clients;

(i) the information is collected for the purpose of enforcing a support order under the Family Support Orders Enforcement Act; or

(j) the information is collected for the purpose of hiring, managing or administering personnel of the Government of Nunavut or a public body.

Notice to Individual

(2) A public body that collects personal information directly from the individual the information is about shall inform the individual of:

(a) the purpose for which the information is collected,

(b) the specific legal authority for the collection, and

(c) the title, business address and business telephone number of an officer or employee of the public body who can answer questions about the collection, unless the regulations provide that this subsection does not apply to that type of information.

Exception

(3) Subsections (1) and (2) do not apply if, in the opinion of the head of the public body concerned, compliance with them might result in the collection of inaccurate information or defeat the purpose or prejudice the use for which the information is collected. Section 41 (1) to (3).

Protection of Personal Information

The head of a public body shall protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal. Section 42.

For more information:

DIVISION B – USE OF PERSONAL INFORMATION. Section 43.
DISCLOSURE OF PERSONAL INFORMATION. Section 47, 48.

Further details on the Access to Information and Protection of Privacy Act can be found at nunavutlegislation.ca.

ONTARIO

In Ontario, employers must comply with the Freedom of Information and Protection of Privacy Act Part III, Sections 40 (1), 41, 49.9, and the Human Rights Code Part I, Sections 1, 5(1), and 8 to protect personal information and ensure non-discriminatory practices. Employers are responsible for securely collecting, using, and retaining employee information, using it only for authorized purposes, and protecting it from unauthorized access. Strong privacy practices support both information security and compliance with human rights obligations.

Freedom of Information and Protection of Privacy Act

PART III – PROTECTION OF INDIVIDUAL PRIVACY

Retention and Protection of Personal Information

(1) Personal information that has been used by an institution shall be retained after use by the institution for the period prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to personal information. Section 40 (1).

Use and Disclosure of Personal Information

Use of Personal Information

(1) An institution shall not use personal information in its custody or under its control except,

(a) where the person to whom the information relates has identified that information in particular and consented to its use;

(b) for the purpose for which it was obtained or compiled or for a consistent purpose;

(c) for a purpose for which the information may be disclosed to the institution under section 42 or under section 32 of the Municipal Freedom of Information and Protection of Privacy Act; or

(d) subject to subsection (2), an educational institution may use personal information in its alumni records and a hospital may use personal information in its records for the purpose of its own fundraising activities, if the personal information is reasonably necessary for the fundraising activities.

Notice on Using Personal Information for Fundraising

(2) In order for an educational institution to use personal information in its alumni records or for a hospital to use personal information in its records, either for its own fundraising activities or for the fundraising activities of an associated foundation, the educational institution or hospital shall,

(a) give notice to the individual to whom the personal information relates when the individual is first contacted for the purpose of soliciting funds for fundraising of his or her right to request that the information cease to be used for fundraising purposes;

(b) periodically and in the course of soliciting funds for fundraising, give notice to the individual to whom the personal information relates of his or her right to request that the information cease to be used for fundraising purposes; and

(c) periodically and in a manner that is likely to come to the attention of individuals who may be solicited for fundraising, publish a notice of the individual’s right to request that the individual’s personal information cease to be used for fundraising purposes.

Discontinuing Use of Personal Information

(3) An educational institution or a hospital shall, when requested to do so by an individual, cease to use the individual’s personal information under clause (1) (d). Section 41 (1) to (3).

Human Rights Code

PART I – FREEDOM FROM DISCRIMINATION

Services

Every person has a right to equal treatment with respect to services, goods and facilities, without discrimination because of race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, gender identity, gender expression, age, marital status, family status, or disability. Section 1.

Employment

(1) Every person has a right to equal treatment with respect to employment without discrimination because of race, ancestry, place of origin, colour, ethnic origin, citizenship, creed, sex, sexual orientation, gender identity, gender expression, age, record of offences, marital status, family status, or disability. Section 5 (1).

Reprisals

Every person has a right to claim and enforce his or her rights under this Act, to institute and participate in proceedings under this Act and to refuse to infringe a right of another person under this Act, without reprisal or threat of reprisal for so doing. Section 8.

For more information:

Section 49.

Further details on the Freedom of Information and Protection of Privacy Act and Human Rights Code.

PRINCE EDWARD ISLAND

In Prince Edward Island, employers must protect personal information under the Freedom of Information and Protection of Privacy Act Part II, Sections 31, 32, 36, 37, and 40. Employers are responsible for collecting only necessary information directly from individuals, securing personal data against unauthorized access or use, and ensuring information is only used or disclosed for authorized purposes.

Purposes of Freedom of information and Protection of Privacy Act

The Purposes of this Act are:

(c) to allow individuals, subject to limited and specific exceptions as set out in this Act, a right of access to personal information about themselves that is held by a public body; Section 2.

PART II — PROTECTION OF PRIVACY

Division 1 — Collection of Personal Information

Purpose of Collection of Information

No personal information may be collected by or for a public body unless:

(a) the collection of that information is expressly authorized by or under an enactment of Prince Edward Island or Canada;

(b) that information is collected for the purposes of law enforcement; or

(c) that information relates directly to and is necessary for an operating program or activity of the public body. Section 31.

Manner of Collection of Information

A public body shall collect personal information directly from the individual the information is about unless:

(a) another method of collection is authorized by:

(i) that individual,

(ii) another Act or a regulation under another Act, or

(iii) the Commissioner under clause 50(1)(f);

(b) the information may be disclosed to the public body under Division 2 of this Part;

(d) the information is collected for the purpose of collecting a fine or a debt owed to the Government of Prince Edward Island or a public body;

(e) the information concerns the history, release or supervision of an individual under the control or supervision of a correctional authority;

(f) the information is collected for use in the provision of legal services to the Government of Prince Edward Island or a public body;

(g) the information is necessary:

(i) to determine the eligibility of an individual to participate in a program of or receive a benefit, product or service from the Government of Prince Edward Island or a public body and is collected in the course of processing an application made by or on behalf of the individual the information is about, or

(ii) to verify the eligibility of an individual who is participating in a program of or receiving a benefit, product or service from the Government of Prince Edward Island or a public body and is collected for that purpose;

(h) the information is collected for the purpose of informing the Public Trustee or a person exercising public guardianship functions about clients or potential clients;

(i) the information is collected for the purpose of enforcing a maintenance order under the Maintenance Enforcement Act R.S.P.E.I. 1988, Cap. M-1;

(j) the information is collected for the purpose of managing or administering personnel of the Government of Prince Edward Island or a public body;

(k) the information is collected for the purpose of assisting in researching or validating the claims, disputes or grievances of aboriginal people;

(l) the information is collected in a health or safety emergency where:

(i) the individual is not able to provide the information directly, or

(ii) direct collection could reasonably be expected to endanger the mental or physical health or safety of the individual or another person;

(m) the information concerns an individual who is designated as a person to be contacted in an emergency, or other specified circumstances;

(n) the information is collected for the purpose of determining suitability for an honour or award, including an honorary degree, scholarship, prize or bursary; or

(o) the information is collected from published or other public sources for the purpose of fundraising. Section 32 (a) to (o).

For more information:

Division 2 — Use and Disclosure of Personal information by Public Bodies. Section 36.
Disclosure of personal information. Section 37.
Disclosure by designated educational body for fundraising activity. Section 37 (1.1).
Disclosure of evaluations to assist students. Section 37 (1.2).

Further details on the Freedom of Information and Protection of Privacy Act can be found at princeedwardisland.ca.

QUÉBEC

In Québec, employers must address information security under the Charter of Human Rights and Freedoms Sections 5 and 10, and the Act respecting the protection of personal information in the private sector Sections 5, 10, 11, and 12. Employers must collect only necessary personal information, ensure its security, maintain its accuracy, and use it strictly for authorized purposes.

Charter of Human Rights and Freedoms

CHAPTER I – FUNDAMENTAL FREEDOMS AND RIGHTS

Every person has a right to respect for his private life. Section 5.

CHAPTER I.1 – RIGHT TO EQUAL RECOGNITION AND EXERCISE OF RIGHTS AND FREEDOMS

Every person has a right to full and equal recognition and exercise of his human rights and freedoms, without distinction, exclusion or preference based on race, colour, sex, gender identity or expression, pregnancy, sexual orientation, civil status, age except as provided by law, religion, political convictions, language, ethnic or national origin, social condition, a handicap, or the use of any means to palliate a handicap.

Discrimination exists where such a distinction, exclusion or preference has the effect of nullifying or impairing such right. Section 10.

Act Respecting the Protection of Personal Information in the Private Sector

DIVISION II – COLLECTION OF PERSONAL INFORMATION

Any person collecting personal information on another person may collect only the information necessary for the purposes determined before collecting it. Section 5.

DIVISION III

CONFIDENTIALITY OF PERSONAL INFORMATION

Retention, Use, and Non-Communication of Information

A person carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored. Section 10.

Every person carrying on an enterprise must ensure that any personal information held on another person is up to date and accurate when used to make a decision in relation to the person concerned.

The information used to make such a decision is kept for at least one year following the decision. Section 11.

Unless the person concerned gives his consent, personal information may not be used within the enterprise except for the purposes for which it was collected. Such consent must be given expressly when it concerns sensitive personal information.

Personal information may, however, be used for another purpose without the consent of the person concerned, but only:

(1) if it is used for purposes consistent with the purposes for which it was collected;

(2) if it is clearly used for the benefit of the person concerned;

(3) if its use is necessary for the purpose of preventing and detecting fraud or of assessing and improving protection and security measures;

(4) if its use is necessary for the purpose of providing or delivering a product or providing a service requested by the person concerned; or

(5) if its use is necessary for study or research purposes or for the production of statistics and if the information is de-identified.

In order for a purpose to be consistent within the meaning of subparagraph 1 of the second paragraph, it must have a direct and relevant connection with the purposes for which the information was collected. However, commercial or philanthropic prospection may not be considered a consistent purpose.

For the purposes of this Act, personal information is:

(1) de-identified if it no longer allows the person concerned to be directly identified;

(2) sensitive if, due to its nature, in particular its medical, biometric or otherwise intimate nature, or the context of its use or communication, it entails a high level of reasonable expectation of privacy.

Every person carrying on an enterprise who uses de-identified information must take reasonable measures to limit the risk of someone identifying a natural person using de-identified information. Section 12. (1) to (5).

Further details on the Charter of Human Rights and Freedoms and Act respecting the protection of personal information in the private sector.

SASKATCHEWAN

In Saskatchewan, employers are required to address information security under the Freedom of Information and Protection of Privacy Act, Sections 24, 25, 26, and 27. Employers must ensure that personal information is collected only when authorized and necessary for a valid program or activity, gathered directly from individuals when possible, and protected against unauthorized access, use, or disclosure. Employers are also responsible for maintaining the accuracy and completeness of personal information used for administrative purposes.

Freedom of Information and Protection of Privacy Act

PART IV – Protection of Privacy

Interpretation

(1) Subject to subsections (1.1) and (2), “personal information” means personal information about an identifiable individual that is recorded in any form, and includes:

(a) information that relates to the race, creed, religion, colour, sex, sexual orientation, family status or marital status, disability, age, nationality, ancestry, or place of origin of the individual;

(b) information that relates to the education or the criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved;

(d) any identifying number, symbol or other particular assigned to the individual, other than the individual’s health services number as defined in The Health Information Protection Act;

(e) the home or business address, home or business telephone number or fingerprints of the individual;

(f) the personal opinions or views of the individual except where they are about another individual;

(g) correspondence sent to a government institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to the correspondence that would reveal the content of the original correspondence, except where the correspondence contains the views or opinions of the individual with respect to another individual;

(h) the views or opinions of another individual with respect to the individual;

(i) information that was obtained on a tax return or gathered for the purpose of collecting a tax;

(j) information that describes an individual’s finances, assets, liabilities, net worth, bank balance, financial history or activities or credit worthiness; or

(k) the name of the individual where:

(i) it appears with other personal information that relates to the individual; or

(ii) the disclosure of the name itself would reveal personal information about the individual.

(1.1) Subject to subsection (1.2), “personal information” does not include information that constitutes personal health information as defined in The Health Information Protection Act.

(1.2) Personal health information in the possession or control of the Workers’ Compensation Board is personal information for the purposes of this Act.

(2) “Personal information” does not include information that discloses:

(a) the classification, salary, discretionary benefits or employment responsibilities of an individual who is or was an officer or employee of a government institution or a member of the staff of a member of the Executive Council;

(b) the salary or benefits of a legislative secretary or a member ofthe Executive Council;

(c) the personal opinions or views of an individual employed by a government institution given in the course of employment, other than personal opinions or views with respect to another individual;

(d) financial or other details of a contract for personal services;

(e) details of a license, permit or other similar discretionary benefit granted to an individual by a government institution;

(f) details of a discretionary benefit of a financial nature granted to an individual by a government institution;

(g) expenses incurred by an individual travelling at the expense of a government institution.

(3) Notwithstanding clauses (2)(e) and (f), “personal information” includes information that:

(a) is supplied by an individual to support an application for a discretionary benefit; and

(b) is personal information within the meaning of subsection (1). Section 24 (1) to (3).

For more information:

Purpose of information. Section 25.
Manner of collection. Section 26 (1) to (3).
Standard of accuracy. Section 27.

Further details on the Freedom of Information and Protection of Privacy Act can be found at saskatchewan.ca.

YUKON TERRITORY

In Yukon, employers are required to address information security under the Access to Information and Protection of Privacy Act, Sections 29, 30, 35, and 36. Employers must ensure that personal information is collected only when authorized, gathered directly from the individual when possible, and used solely for the purposes for which it was collected or a consistent purpose. They must also properly inform individuals about the collection and protect information against unauthorized access, use, or disclosure.

Access to Information and Protection of Privacy Act

PART 3 – PROTECTION OF PRIVACY

Purpose for Which Personal Information may be Collected

No personal information may be collected by or for a public body unless:

(a) the collection of that information is authorized by an Act of Parliament or of the Legislature;

(b) that information is collected for the purposes of law enforcement; or

(c) that information relates to and is necessary for carrying out a program or activity of the public body. Section 29.

How Personal Information is to be Collected

(1) A public body must collect personal information directly from the individual the information is about unless:

(a) another method of collection is authorized by:

(i) that individual,

(ii) the commissioner under section 42, or

(iii) an Act of Parliament or of the Legislature;

(b) the information may be disclosed to the public body under sections 36 to 39; or

(i) determining suitability for an honour or award,

(ii) a proceeding before a court or a judicial or adjudicative body,

(iii) collecting a debt or making a payment, or

(iv) law enforcement.

(2) A public body must tell an individual from whom it collects personal information:

(a) the purpose for collecting it;

(b) the legal authority for collecting it; and

(c) the title, business address, and business telephone number of an officer or employee of the public body who can answer the individual’s questions about the collection.

(3) Subsection (2) does not apply if:

(a) the information is about law enforcement or anything referred to in section 19; or

(b) the Minister responsible for this Act excuses the public body from complying with it because compliance would:

(i) result in the collection of inaccurate information, or

(ii) defeat the purpose or prejudice the use for which the information is collected. Section 30 (1) to (3).

Use of Personal Information

(1) A public body may use personal information only:

(a) for the purpose for which that information was obtained or compiled, or for a use consistent with that purpose;

(b) if the individual the information is about has consented to the use; or

(2) A public body may use personal information only to the extent necessary to enable the public body to carry out its purpose in a reasonable manner. Section 35 (1)(2).

For more information:

Disclosure of personal information. Section 36 (a) to (e).

Further details on the Access to Information and Protection of Privacy Act can be found at yukon.ca.