DIVISION 3

AUDITS

To ensure compliance

18. (1) The Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the Commissioner has reasonable grounds to believe that the organization is contravening a provision of Division 1 or is not following a recommendation set out in Schedule 1, and for that purpose may

    (a) summon and enforce the appearance of persons before the Commissioner and compel them to give oral or written evidence on oath and to produce any records and things that the Commissioner considers necessary for the audit, in the same manner and to the same extent as a superior court of record;

    (b) administer oaths;

    (c) receive and accept any evidence and other information, whether on oath, by affidavit or otherwise, that the Commissioner sees fit, whether or not it is or would be admissible in a court of law;

    (d) at any reasonable time, enter any premises, other than a dwelling-house, occupied by the organization on satisfying any security requirements of the organization relating to the premises;

    (e) converse in private with any person in any premises entered under paragraph (d) and otherwise carry out in those premises any inquiries that the Commissioner sees fit; and

    (f) examine or obtain copies of or extracts from records found in any premises entered under paragraph (d) that contain any matter relevant to the audit.

Delegation

(2) The Commissioner may delegate any of the powers set out in subsection (1).

Return of records

(3) The Commissioner or the delegate shall return to a person or an organization any record or thing they produced under this section within ten days after they make a request to the Commissioner or the delegate, but nothing precludes the Commissioner or the delegate from again requiring that the record or thing be produced.

Certificate of delegation

(4) Any person to whom powers set out in subsection (1) are delegated shall be given a certificate of the delegation and the delegate shall produce the certificate, on request, to the person in charge of any premises to be entered under paragraph (1)(d).

Report of findings and recommenda-
tions

19. (1) After an audit, the Commissioner shall provide the audited organization with a report that contains the findings of the audit and any recommendations that the Commissioner considers appropriate.

Reports may be included in annual reports

(2) The report may be included in a report made under section 25.

DIVISION 4

GENERAL

Confiden-
tiality

20. (1) Subject to subsections (2) to (5), 13(3) and 19(1), the Commissioner or any person acting on behalf or under the direction of the Commissioner shall not disclose any information that comes to their knowledge as a result of the performance or exercise of any of the Commissioner's duties or powers under this Part.

Public interest

(2) The Commissioner may make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so.

Disclosure of necessary information

(3) The Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose, information that in the Commissioner's opinion is necessary to

    (a) conduct an investigation or audit under this Part; or

    (b) establish the grounds for findings and recommendations contained in any report under this Part.

Disclosure in the course of proceedings

(4) The Commissioner may disclose, or may authorize any person acting on behalf or under the direction of the Commissioner to disclose, information in the course of

    (a) a prosecution for an offence under section 28;

    (b) a prosecution for an offence under section 132 of the Criminal Code (perjury) in respect of a statement made under this Part;

    (c) a hearing before the Court under this Part; or

    (d) an appeal from a decision of the Court.

Disclosure of offence authorized

(5) The Commissioner may disclose to the Attorney General of Canada or of a province, as the case may be, information relating to the commission of an offence against any law of Canada or a province on the part of an officer or employee of an organization if, in the Commissioner's opinion, there is evidence of an offence.

Not competent witness

21. The Commissioner or person acting on behalf or under the direction of the Commissioner is not a competent witness in respect of any matter that comes to their knowledge as a result of the performance or exercise of any of the Commissioner's duties or powers under this Part in any proceeding other than

    (a) a prosecution for an offence under section 28;

    (b) a prosecution for an offence under section 132 of the Criminal Code (perjury) in respect of a statement made under this Part;

    (c) a hearing before the Court under this Part; or

    (d) an appeal from a decision of the Court.

Protection of Commissioner

22. (1) No criminal or civil proceedings lie against the Commissioner, or against any person acting on behalf or under the direction of the Commissioner, for anything done, reported or said in good faith as a result of the performance or exercise or purported performance or exercise of any duty or power of the Commissioner under this Part.

Libel or slander

(2) For the purposes of any law relating to libel or slander,

    (a) anything said, any information supplied or any record or thing produced in good faith in the course of an investigation or audit carried out by or on behalf of the Commissioner under this Part is privileged; and

    (b) any report made in good faith by the Commissioner under this Part and any fair and accurate account of the report made in good faith for the purpose of news reporting is privileged.

Consulta-
tions with provinces

23. (1) If the Commissioner considers it appropriate to do so, or on the request of an interested person, the Commissioner may, in order to ensure that personal information is protected in as consistent a manner as possible, consult with any person who, under provincial legislation that is substantially similar to this Part, has powers and duties similar to those of the Commissioner.

Agreements

(2) The Commissioner may enter into agreements with any person with whom the Commissioner may consult under subsection (1)

    (a) to coordinate the activities of their offices and the office of the Commissioner, including to provide for mechanisms for the handling of any complaint in which they are mutually interested;

    (b) to undertake and publish research related to the protection of personal information; and

    (c) to develop model contracts for the protection of personal information that is collected, used or disclosed interprovincially or internationally.

Promoting the purposes of the Part

24. The Commissioner shall

    (a) develop and conduct information programs to foster public understanding, and recognition of the purposes, of this Part;

    (b) undertake and publish research that is related to the protection of personal information, including any such research that is requested by the Minister of Industry;

    (c) encourage organizations to develop detailed policies and practices, including organizational codes of practice, to comply with sections 5 to 10; and

    (d) promote, by any means that the Commissioner considers appropriate, the purposes of this Part.

Annual report

25. (1) The Commissioner shall, as soon as practicable after the end of each calendar year, submit to Parliament a report concerning the application of this Part, the extent to which the provinces have enacted legislation that is substantially similar to this Part and the application of any such legislation.

Consultation

(2) Before preparing the report, the Commissioner shall consult with those persons in the provinces who, in the Commissioner's opinion, are in a position to assist the Commissioner in reporting respecting personal information that is collected, used or disclosed interprovincially or internationally.

Regulations

26. (1) The Governor in Council may make regulations

    (a) specifying, by name or by class, what is a government institution or part of a government institution for the purposes of any provision of this Part;

    (a.01) specifying, by name or by class, what is an investigative body for the purposes of paragraph 7(3)(d) or (h.2);

    (a.1) specifying information or classes of information for the purpose of paragraph 7(1)(d), (2)(c.1) or (3)(h.1); and

    (b) for carrying out the purposes and provisions of this Part.

Orders

(2) The Governor in Council may, by order,

    (a) provide that this Part is binding on any agent of Her Majesty in right of Canada to which the Privacy Act does not apply; and

    (b) if satisfied that legislation of a province that is substantially similar to this Part applies to an organization, a class of organizations, an activity or a class of activities, exempt the organization, activity or class from the application of this Part in respect of the collection, use or disclosure of personal information that occurs within that province.

Whistle-
blowing

27. (1) Any person who has reasonable grounds to believe that a person has contravened or intends to contravene a provision of Division 1, may notify the Commissioner of the particulars of the matter and may request that their identity be kept confidential with respect to the notification.

Confiden-
tiality

(2) The Commissioner shall keep confidential the identity of a person who has notified the Commissioner under subsection (1) and to whom an assurance of confidentiality has been provided by the Commissioner.

Prohibition

27.1 (1) No employer shall dismiss, suspend, demote, discipline, harass or otherwise disadvantage an employee, or deny an employee a benefit of employment, by reason that

    (a) the employee, acting in good faith and on the basis of reasonable belief, has disclosed to the Commissioner that the employer or any other person has contravened or intends to contravene a provision of Division 1;

    (b) the employee, acting in good faith and on the basis of reasonable belief, has refused or stated an intention of refusing to do anything that is a contravention of a provision of Division 1;

    (c) the employee, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order that a provision of Division 1 not be contravened; or

    (d) the employer believes that the employee will do anything referred to in paragraph (a), (b) or (c).

Saving

(2) Nothing in this section impairs any right of an employee either at law or under an employment contract or collective agreement.

Definitions

(3) In this section, ``employee'' includes an independent contractor and ``employer'' has a corresponding meaning.

Offence and punishment

28. Every person who knowingly contravenes subsection 8(8) or 27.1(1) or who obstructs the Commissioner or the Commissioner's delegate in the investigation of a complaint or in conducting an audit is guilty of

    (a) an offence punishable on summary conviction and liable to a fine not exceeding $10,000; or

    (b) an indictable offence and liable to a fine not exceeding $100,000.

Review of Part by parliamen-
tary committee

29. (1) The administration of this Part shall, every five years after this Part comes into force, be reviewed by the committee of the House of Commons, or of both Houses of Parliament, that may be designated or established by Parliament for that purpose.

Review and report

(2) The committee shall undertake a review of the provisions and operation of this Part and shall, within a year after the review is undertaken or within any further period that the House of Commons may authorize, submit a report to Parliament that includes a statement of any changes to this Part or its administration that the committee recommends.

DIVISION 5

TRANSITIONAL PROVISIONS

Application

30. (1) This Part does not apply to any organization in respect of personal information that it collects, uses or discloses within a province whose legislature has the power to regulate the collection, use or disclosure of the information, unless the organization does it in connection with the operation of a federal work, undertaking or business or the organization discloses the information outside the province for consideration.

Application

(1.1) This Part does not apply to any organization in respect of personal health information that it collects, uses or discloses.

Expiry date

(2) Subsection (1) ceases to have effect three years after the day on which this section comes into force.

Expiry date

(2.1) Subsection (1.1) ceases to have effect one year after the day on which this section comes into force.