BILL 55



Protection of Personal Information Act

Chapter Outline

Definitions 1(1)

agent -- agent

personal information -- renseignement personnel

public body -- organisme public

Statutory Code of Practice -- Code de pratique statutaire

Identifiable individual 1(2), (3)

Statutory Code of Practice 2

Ombudsman 3

Right to Information Act 4

Other Act or law 5

Offences 6

Regulations 7

Consequential amendments 8-9

Commencement 10

Schedule A

Schedule B

Her Majesty, by and with the advice and consent of the Legislative Assembly of New Brunswick, enacts as follows:

1(1)In this Act

"agent" means

(a)a person who collects personal information for a public body, and

(b)a person to whom a public body discloses personal information so that the person may provide a service on behalf of the public body;

"personal information" means information about an identifiable individual, recorded in any form;

"public body" means

(a)a body to which the Right to Information Act applies, and

(b)any other body, designated by regulation, that is established by a body referred to in paragraph (a) or by a public Act of New Brunswick;

"Statutory Code of Practice" means the code of practice set out in Schedule A.

1(2)Information that relates to an identifiable individual but is collected, used or disclosed in a form in which the individual is not identifiable is not personal information when so collected, used or disclosed.

1(3)An individual is identifiable for the purposes of this Act if

(a)information includes his or her name,

(b)information makes his or her identity obvious, or

(c)information does not itself include the name of the individual or make his or her identity obvious but is likely in the circumstances to be combined with other information that does.

2(1)Every public body is subject to the Statutory Code of Practice.

2(2)The Statutory Code of Practice shall be interpreted and applied in accordance with Schedule B and with any regulations made under paragraph 7(b).

3(1) The Ombudsman Act applies to this Act and to the activities of any public body under it, whether or not that public body is otherwise subject to the Ombudsman Act.

3(2)Subject to sections 4 and 6, any complaint of a violation of this Act shall be made to the Ombudsman.

4(1)In relation to a public body to which the Right to Information Act applies, an individual may enforce under that Act any right to information that this Act confers.

4(2)Subsection (1) does not confer any right to obtain under the Right to Information Act information to which there would not otherwise be a right under that Act.

5(1)Nothing in this Act displaces any duty of confidentiality that exists in relation to personal information under any other Act or law.

5(2)Where another Act confers on a public body, or an officer or employee of a public body, a discretion that may be exercised in relation to personal information, that body or person shall have regard to this Act in the exercise of that discretion, to the extent that the other Act allows.

6(1)A public body, or an officer, employee or agent of a public body, who collects, uses or discloses personal information in wilful contravention of Principles 3, 4 or 5 of the Statutory Code of Practice commits an offence punishable under Part II of the Provincial Offences Procedure Act as a category F offence.

6(2)A person to whom a public body discloses personal information on terms that limit the further use or disclosure of the information, and who wilfully contravenes those terms, commits an offence punishable under Part II of the Provincial Offences Procedure Act as a category F offence.

7The Lieutenant-Governor in Council may make regulations

(a)designating bodies as public bodies;

(b)making special provision respecting the interpretation and application of the Statutory Code of Practice in relation to

(i)particular public bodies,

(ii)particular kinds of personal information, or

(iii)particular activities involving the handling of personal information;

(c)respecting forms to be used under this Act;

(d)respecting procedures to be followed under this Act;

(e)respecting fees payable under this Act;

(f)respecting exemptions from this Act for personal information, or for any arrangement for the management of personal information, that exists on the commencement of this Act.

8(1)Section 1 of the Archives Act, chapter A-11.1 of the Acts of New Brunswick, 1977, is amended:

(a)by adding after the definition "hospital corporation" the following:

"identifiable individual" means an individual who can be identified by the contents of information because the information

(a)includes the individual's name,

(b)makes the individual's identity obvious, or

(c)is likely in the circumstances to be combined with other information that includes the individual's name or makes the individual's identity obvious;

(b)by repealing the definition "personal information" and substituting the following:

"personal information" means information about an identifiable individual;

8(2)Subsection 10(3) of the Act is amended by adding after paragraph (b) the following:

(b.1)would reveal personal information concerning the applicant that

(i)was provided by another person in confidence, or is confidential in nature, or

(ii)could reasonably be expected to threaten the safety or mental or physical health of the applicant or another person;

9(1)Section 1 of the Right to Information Act, chapter R-10.3 of the Acts of New Brunswick, 1978, is amended

(a)by adding after the definition "hospital corporation" the following:

"identifiable individual" means an individual who can be identified by the contents of information because the information

(a)includes the individual's name,

(b)makes the individual's identity obvious, or

(c)is likely in the circumstances to be combined with other information that includes the individual's name or makes the individual's identity obvious;

(b)by repealing the definition "personal information" and substituting the following:

"personal information" means information about an identifiable individual;

9(2)The Act is amended by adding after section 2 the following:

2.1Without limiting section 2, subject to this Act, every individual is entitled to request and receive information about himself or herself.

9(3)Section 6 of the Act is amended by adding after paragraph (b) the following:

(b.1)would reveal personal information concerning the applicant that

(i)was provided by another person in confidence, or is confidential in nature, or

(ii)could reasonably be expected to threaten the safety or mental or physical health of the applicant or another person;

10This Act or any provision of it comes into force on a day or days to be fixed by proclamation.

Schedule A

The Statutory Code of Practice

Principle 1:Accountability

A public body is responsible for personal information under its control. The chief executive officer of a public body, and his or her designates, are accountable for the public body's compliance with the following principles.

Principle 2:Identifying Purposes

The purposes for which personal information is collected shall be identified by the public body at or before the time the information is collected.

Principle 3:Consent

The consent of the individual is required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4:Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the public body. Information shall be collected by fair and lawful means.

Principle 5:Limiting Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or expressly authorized by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Principle 6:Accuracy

Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7:Safeguards

Personal information shall be protected by safeguards appropriate to the sensitivity of the information.

Principle 8:Openness

A public body shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9:Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information, except where inappropriate. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10:Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the individual or individuals accountable for the public body's compliance.

Schedule B

Interpretation and Application of
the Statutory Code of Practice

The provisions of the Statutory Code of Practice that are referred to in this Schedule shall be interpreted and applied in accordance with this Schedule.

Principle 2:Identifying Purposes

2.1The purposes identified by the public body must directly relate to an existing or proposed activity of the public body.

2.2The public body must document, in relation to any personal records system, the purpose or purposes for which the personal information in the system is held.

2.3A "personal records system" is a computerized or manual records system which contains information about individuals and which is structured in such a way that information about specified individuals can be easily recovered.

Principle 3:Consent

3.1Consent may be express or implied.

3.2The actions for which consent can be implied are those that an individual should reasonably expect the public body to take, and would be unlikely to disapprove of, having regard to

(a)the nature of the personal information in question, including whether it is or is not sensitive or confidential,

(b)any benefit or detriment to the individual,

(c)any explanation that the public body has given of its intended actions,

(d)any indication that the individual has given of his or her actual wishes, and

(e)the ease or difficulty with which the actual wishes of the individual might be discovered.

3.3Consent can be given by a parent, guardian or other representative of the individual in appropriate circumstances.

3.4Consent is not required when a public body collects, uses or discloses personal information

(a)to protect the health, safety or security of the public or of an individual,

(b)for purposes of an investigation related to the enforcement of an enactment,

(c)to protect or assert its own lawful rights or those of another public body, including lawful rights against the individual,

(d)to verify the individual's eligibility for a government program or benefit for which the individual has applied,

(e)for purposes of legitimate research in the interest of science, of learning or of public policy, or for archival purposes,

(f)as required or expressly authorized by law, or

(g)for some other substantial reason in the public interest, whether or not it is similar in nature to paragraphs (a) to (f).

3.5A public body may disclose personal information under paragraph 3.4(g) in furtherance of the public interest in open government.

3.6Before collecting, using or disclosing personal information without consent under paragraph 3.4 or 3.5, a public body shall consider the nature of the information in question and the purpose for which it is acting, and shall satisfy itself that in the circumstances that purpose justifies the action proposed.

3.7Any collection, use or disclosure of personal information without consent shall be limited to the reasonable requirements of the situation.

Principle 4:Limiting Collection

4.1A public body may collect personal information

(a)from the individual,

(b)from another person with the individual's consent,

(c)from a source and by means available to the public at large,

(d)from any source if the public body is acting under paragraphs 3.4 to 3.7.

4.2An individual shall not be refused a service or benefit because he or she declines to provide personal information which is not necessary for a legitimate purpose of the public body.

Principle 5:Limiting Use, Disclosure and Retention

5.1A public body may discharge its obligation not to retain personal information by converting that information into non-identifying form.

5.2Personal information that is maintained outside a personal records system and is not readily accessible to a person who has no prior knowledge of the information shall be deemed to be converted into non-identifying form when the use of the information ceases.

Principle 7:Safeguards

7.1The safeguards to be adopted include training and administrative, technical, physical and other measures, as appropriate in the circumstances, and include safeguards that are to be adopted when a public body discloses personal information to a third party or makes arrangements for a third party to collect personal information on its behalf.

Principle 9:Individual Access

9.1A public body to which the Right to Information Act applies may only refuse to provide an individual with personal information relating to himself or herself if the individual would have no right to that information under the Right to Information Act.

9.2A public body to which the Right to Information Act does not apply shall establish a procedure comparable to the procedure in that Act for the purpose of ensuring that the individual can obtain access to information about himself or herself.

9.3The procedure established under paragraph 9.2 may include exceptions to access comparable to those in the Right to Information Act.

9.4When an individual has made a challenge to the accuracy or completeness of personal information relating to himself or herself but has not satisfied the public body that an amendment is appropriate, the public body shall note that the individual disputes the information in its possession.

Principle 10:Challenging Compliance

10.1A public body shall investigate in good faith the complaints it receives about its management of personal information and shall take appropriate measures if a complaint is found to be justified.


Last Modified: 11:22am , February 13, 1998