Unless and until a designation is made under CSA Principle 1, the person accountable for an
organization's compliance with the data protection principles should be
(a) the organization's Chief Executive Officer, if it has one; or
(b) in an organization without a Chief Executive Officer, the person or persons who control
the affairs of the organization.
CSA Principle 2 -- Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at
or before the time the information is collected.
The purposes for which an organization collects personal information must be legitimate and
must directly relate to an existing or proposed activity of the organization.
CSA Principle 2 could be supplemented by a requirement that organizations document the
purposes for which they maintain personal records systems, but if it is, such a requirement
should not apply where documentation would be superfluous to proper administrative
Where an organization's documented purposes do not match the explanation given to the
individual, the latter should prevail, in accordance with CSA Principle 3 -- Consent.
CSA Principle 3 -- Consent
The knowledge and consent of the individual are required for the collection, use or disclosure of
personal information, except where inappropriate.
The essence of CSA Principle 3 is "consent." Data protection legislation should not include
"knowledge" as a separate and independent criterion which must be satisfied.
b. Express and implied consent
Data protection legislation must include the concept of implied consent, based on the
reasonable expectations of the individual.
The actions for which consent can be implied should be those that the individual should
reasonably expect the organization to take, and would be unlikely to disapprove of, having
(a) the nature of the personal information in question, including whether it is or is not
sensitive or confidential,
(b) any benefit or detriment to the individual,
(c) any explanation that the organization has given of its intended actions,
(d) any indication that the individual has given of his or her actual wishes, and
(e) the ease or difficulty with which the actual wishes of the individual might be
c. "Except where inappropriate"
Consent should not be required when an organization collects, uses or discloses personal
(a) to protect the health, safety or security of the public or of an individual,
(b) for purposes of an investigation related to the enforcement of an enactment,
(c) to protect or assert its own lawful rights, including lawful rights against the individual,
(d) to verify to a government body the individual's eligibility for a program or benefit for
which the individual has applied to that body,
(e) for purposes of legitimate research in the interest of science, of learning or of public
policy, or for archival purposes,
(f) as required or expressly authorized by law, or
(g) for some other substantial reason in the public interest, whether or not it is similar in
nature to paragraphs (a) to (f).
Before collecting, using or disclosing personal information without consent an organization
should consider the nature of the information in question and the purpose for which it is
acting, and must satisfy itself that in the circumstances that purpose justifies the action
Any collection, use or disclosure of personal information without consent should be limited to
the reasonable requirements of the situation.
CSA Principle 4 -- Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes
identified by the organization. Information shall be collected by fair and lawful means.
Data protection legislation should state the sources from which personal information may be
collected, and should state that an individual shall not be refused any service or benefit
because he or she declines to provide personal information which is not necessary for the
identified purpose of the organization.
The requirement that personal information be collected by fair and lawful means does not
need further explanation in data protection legislation.
CSA Principle 5 -- Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by law. Personal information
shall be retained only as long as necessary for the fulfilment of those purposes.
CSA Principle 5 should permit uses and disclosures that are "expressly authorized by law"
as well as those that are "required by law."
b. Inter-relation of "purpose", "consent" and "the law"
Data protection legislation need not elaborate upon the relationship between "purposes,"
"consent" and "the law" as alternative bases for the use or disclosure of personal information.
Data protection legislation should make it clear that an organization's duty not to retain
personal information can be satisfied by converting the information into a form in which the
individuals to whom it relates cease to be identifiable.
Organizations should not be required to purge all personal information from 'non-personal'
files in which the personal information appears incidentally.
CSA Principle 6 -- Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes
for which it is to be used.
CSA Principle 6 is self-explanatory. Data protection legislation would not need to provide
additional guidance on its application and interpretation.
CSA Principle 7 -- Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the
The word "security" should be removed from CSA Principle 7 so as not to narrow its scope.
b. What kinds of safeguards?
Data protection legislation should specify that the safeguards to be implemented include
training and physical, technical, administrative and other measures, as appropriate in the
circumstances. It should not attempt to define what will make a safeguard "appropriate to
the sensitivity of the information."
c. Transfers to third parties
Data protection legislation should make it clear that "appropriate safeguards" may be
required when an organization transfers personal information to another organization, but
it should not require specific forms of safeguards.
CSA Principle 8 -- Openness
An organization shall make readily available to individuals specific information about its policies
and practices relating to the management of personal information.
CSA Principle 8 is self-explanatory. Data protection legislation need not attempt to clarify its
CSA Principle 9 -- Individual Access
Upon request, an individual shall be informed of the existence, use and disclosure of his or her
personal information and shall be given access to that information. An individual shall be able to
challenge the accuracy and completeness of the information and have it amended as appropriate.
The words "except where inappropriate" should be added to the right to information in CSA
b. The nature of the right
Data protection legislation should make it clear that, under CSA Principle 9, providing
information is sufficient unless access to documents is specifically requested.
c. Exceptions to access
An organization should not be required to disclose personal information to the individual
(a) where disclosure would be harmful to the health, safety or security of the public or an
individual, including the applicant;
(b) where disclosure would be prejudicial to an investigation related to the enforcement of
(c) where non-disclosure is required or expressly authorized by law, or where the
individual would have no right to obtain the information in legal proceedings;
(d) where the information was provided by another person in confidence, or is confidential
(e) where the information requested is inextricably linked to the personal information of
(f) where the information requested would be unduly expensive or onerous to provide.
Consideration should also be given to authorizing non-disclosure when there is some other
legitimate and substantial reason for not providing the information requested.
Non-disclosure should be limited to the reasonable requirements of the situation. If it is
practicable to explain the substance of the information withheld without prejudicing the
reason for withholding it, the organization should do so.
Data protection legislation could be silent on the question of access procedures under CSA
When the individual has challenged the accuracy or completeness of personal information, but
fails to convince the organization, the organization should nake a note that the individual
disputes the information in question.
CSA Principle 10 -- Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles
to the designated individual or individuals accountable for the organization's compliance.
An organization should be required to investigate in good faith the complaints it receives and
to take appropriate measures when a complaint is found to be justified.